Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Scan Information (
show all ):
dependency-check version : 6.1.6Report Generated On : Thu, 27 May 2021 23:58:56 +0200Dependencies Scanned : 471 (464 unique)Vulnerable Dependencies : 128 Vulnerabilities Found : 567Vulnerabilities Suppressed : 0... NVD CVE Checked : 2021-05-27T23:58:35NVD CVE Modified : 2021-05-27T22:00:01VersionCheckOn : 2021-05-18T16:03:03Summary Display:
Showing Vulnerable Dependencies (click to show all) Dependencies HdrHistogram-2.1.11.jarDescription:
HdrHistogram supports the recording and analyzing sampled data value
counts across a configurable integer value range with configurable value
precision within the range. Value precision is expressed as the number of
significant digits in the value recording, and provides control over value
quantization behavior across the value range and the subsequent value
resolution at any given level.
License:
Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
BSD-2-Clause: https://opensource.org/licenses/BSD-2-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hdrhistogram/HdrHistogram/2.1.11/1b035a1a4ce5d3441a4a1a331d04839ef487ec49/HdrHistogram-2.1.11.jar
MD5: f3a8c558c7786948ff98819f8eac191f
SHA1: 1b035a1a4ce5d3441a4a1a331d04839ef487ec49
SHA256: 96671e0898b35d602869efd9339b1929cdac855d2bc64922efbbcdd2209816bc
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://hdrhistogram.github.io/HdrHistogram/ Highest Vendor pom name HdrHistogram High Vendor file name HdrHistogram High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-symbolicname org.hdrhistogram.HdrHistogram Medium Vendor Manifest Implementation-Vendor-Id org.hdrhistogram Medium Vendor pom groupid hdrhistogram Highest Vendor gradle groupid org.hdrhistogram Highest Vendor pom artifactid HdrHistogram Low Vendor jar package name hdrhistogram Highest Product gradle artifactid HdrHistogram Highest Product Manifest Implementation-Title HdrHistogram High Product file name HdrHistogram High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-symbolicname org.hdrhistogram.HdrHistogram Medium Product Manifest specification-title HdrHistogram Medium Product pom groupid hdrhistogram Highest Product pom artifactid HdrHistogram Highest Product pom name HdrHistogram High Product jar package name version Highest Product pom url http://hdrhistogram.github.io/HdrHistogram/ Medium Product jar package name hdrhistogram Highest Product Manifest Bundle-Name HdrHistogram Medium Version file version 2.1.11 High Version Manifest Bundle-Version 2.1.11 High Version gradle version 2.1.11 Highest Version pom version 2.1.11 Highest Version Manifest Implementation-Version 2.1.11 High
LatencyUtils-2.0.3.jarDescription:
LatencyUtils is a package that provides latency recording and reporting utilities.
License:
Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/ File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.latencyutils/LatencyUtils/2.0.3/769c0b82cb2421c8256300e907298a9410a2a3d3/LatencyUtils-2.0.3.jar
MD5: 2ad12e1ef7614cecfb0483fa9ac6da73
SHA1: 769c0b82cb2421c8256300e907298a9410a2a3d3
SHA256: a32a9ffa06b2f4e01c5360f8f9df7bc5d9454a5d373cd8f361347fa5a57165ec
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.latencyutils Highest Vendor file name LatencyUtils High Vendor jar package name latencyutils Low Vendor pom groupid latencyutils Highest Vendor jar package name latencyutils Highest Vendor pom url http://latencyutils.github.io/LatencyUtils/ Highest Vendor pom artifactid LatencyUtils Low Vendor pom name LatencyUtils High Product file name LatencyUtils High Product pom url http://latencyutils.github.io/LatencyUtils/ Medium Product gradle artifactid LatencyUtils Highest Product pom groupid latencyutils Highest Product pom artifactid LatencyUtils Highest Product jar package name latencyutils Highest Product pom name LatencyUtils High Version pom version 2.0.3 Highest Version file version 2.0.3 High Version gradle version 2.0.3 Highest
RoaringBitmap-0.5.11.jarDescription:
Roaring bitmaps are compressed bitmaps (also called bitsets) which tend to outperform
conventional compressed bitmaps such as WAH or Concise. License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.roaringbitmap/RoaringBitmap/0.5.11/e6b04760ea1896fc36beea4f11b8649481bf5af7/RoaringBitmap-0.5.11.jar
MD5: 5598b28306a4480ad5c7debcdb516df2
SHA1: e6b04760ea1896fc36beea4f11b8649481bf5af7
SHA256: bad2fcf146d4a41cb188a28a4216f15cc470cd2fb6417a7d0005e7f8221ff312
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url lemire/RoaringBitmap Highest Vendor jar package name roaringbitmap Highest Vendor pom artifactid RoaringBitmap Low Vendor pom name RoaringBitmap High Vendor gradle groupid org.roaringbitmap Highest Vendor file name RoaringBitmap High Vendor Manifest bundle-symbolicname org.roaringbitmap.RoaringBitmap Medium Vendor pom groupid roaringbitmap Highest Product pom url lemire/RoaringBitmap High Product jar package name roaringbitmap Highest Product pom name RoaringBitmap High Product file name RoaringBitmap High Product Manifest Bundle-Name RoaringBitmap Medium Product gradle artifactid RoaringBitmap Highest Product Manifest bundle-symbolicname org.roaringbitmap.RoaringBitmap Medium Product pom groupid roaringbitmap Highest Product pom artifactid RoaringBitmap Highest Version pom version 0.5.11 Highest Version Manifest Bundle-Version 0.5.11 High Version gradle version 0.5.11 Highest Version file version 0.5.11 High
ST4-4.0.4.jarDescription:
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/ST4/4.0.4/467a2aa12be6d0f0f68c70eecf6714ab733027ac/ST4-4.0.4.jar
MD5: 06856c607f242639cd52ef2b4c63ebc9
SHA1: 467a2aa12be6d0f0f68c70eecf6714ab733027ac
SHA256: 17cc49dc535a0fbe58c3a8634e774572bed31eb73415e9ce9d2703b977bf356f
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.stringtemplate.org Highest Vendor pom name ANTLR ST4 4.0.4 High Vendor jar package name stringtemplate Highest Vendor pom artifactid ST4 Low Vendor jar package name v4 Low Vendor gradle groupid org.antlr Highest Vendor pom groupid antlr Highest Vendor jar package name compiler Low Vendor jar package name stringtemplate Low Vendor file name ST4 High Product pom url http://www.stringtemplate.org Medium Product pom artifactid ST4 Highest Product pom name ANTLR ST4 4.0.4 High Product jar package name stringtemplate Highest Product gradle artifactid ST4 Highest Product jar package name v4 Low Product pom groupid antlr Highest Product jar package name compiler Low Product file name ST4 High Version pom version 4.0.4 Highest Version gradle version 4.0.4 Highest Version file version 4.0.4 High
Saxon-HE-9.9.1-6.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.saxon/Saxon-HE/9.9.1-6/1905b27b0e4df1ee3a0857f403f64558ef780e6f/Saxon-HE-9.9.1-6.jarMD5: 173398f1e38f077a0583900d99b4f5f9SHA1: 1905b27b0e4df1ee3a0857f403f64558ef780e6fSHA256: 00d1d0428752a245f1725293c0c0d102f735455b14028777baef42a90f3d93ecReferenced In Projects/Scopes:
splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor jar package name saxon Highest Vendor jar package name net Low Vendor Manifest project-name Saxon-HE Medium Vendor file name Saxon-HE High Vendor gradle groupid net.sf.saxon Highest Vendor jar package name sf Low Vendor jar package name saxon Low Product jar package name saxon Highest Product gradle artifactid Saxon-HE Highest Product Manifest project-name Saxon-HE Medium Product file name Saxon-HE High Product jar package name sf Low Product jar package name saxon Low Version file name Saxon-HE Medium Version gradle version 9.9.1-6 Highest Version file version 9.9.1.6 High
accessors-smart-1.2.jarDescription:
Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.minidev/accessors-smart/1.2/c592b500269bfde36096641b01238a8350f8aa31/accessors-smart-1.2.jar
MD5: c28b871d258b4d347559d2eb7ecec4a3
SHA1: c592b500269bfde36096641b01238a8350f8aa31
SHA256: 0c7c265d62fc007124dc32b91336e9c4272651d629bc5fa1a4e4e3bc758eb2e4
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name net Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom groupid net.minidev Highest Vendor jar package name asm Highest Vendor pom url http://www.minidev.net/ Highest Vendor Manifest bundle-symbolicname net.minidev.accessors-smart Medium Vendor jar package name minidev Highest Vendor pom name ASM based accessors helper used by json-smart High Vendor pom organization name Chemouni Uriel High Vendor file name accessors-smart High Vendor pom artifactid accessors-smart Low Vendor pom organization url http://www.minidev.net/ Medium Vendor gradle groupid net.minidev Highest Vendor Manifest bundle-docurl http://www.minidev.net/ Low Product pom organization url http://www.minidev.net/ Low Product Manifest Bundle-Name accessors-smart Medium Product jar package name net Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom organization name Chemouni Uriel Low Product jar package name asm Highest Product pom groupid net.minidev Highest Product pom artifactid accessors-smart Highest Product Manifest bundle-symbolicname net.minidev.accessors-smart Medium Product jar package name minidev Highest Product pom name ASM based accessors helper used by json-smart High Product file name accessors-smart High Product gradle artifactid accessors-smart Highest Product pom url http://www.minidev.net/ Medium Product Manifest bundle-docurl http://www.minidev.net/ Low Version file version 1.2 High Version Manifest Bundle-Version 1.2 High Version pom version 1.2 Highest Version gradle version 1.2 Highest
activation-1.1.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.activation/activation/1.1.1/485de3a253e23f645037828c07f1d7f1af40763a/activation-1.1.1.jarMD5: 46a37512971d8eca81c3fcf245bf07d2SHA1: 485de3a253e23f645037828c07f1d7f1af40763aSHA256: ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest extension-name javax.activation Medium Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor jar package name sun Highest Vendor Manifest Implementation-Vendor Sun Microsystems, Inc. High Vendor jar package name javax Low Vendor file name activation High Vendor jar package name activation Highest Vendor gradle groupid javax.activation Highest Vendor jar package name javax Highest Vendor jar package name activation Low Vendor jar (hint) package name oracle Highest Product Manifest extension-name javax.activation Medium Product gradle artifactid activation Highest Product jar package name javax Highest Product jar package name activation Low Product file name activation High Product Manifest specification-title JavaBeans(TM) Activation Framework Specification Medium Product jar package name activation Highest Version Manifest Implementation-Version 1.1.1 High Version file version 1.1.1 High
activation-1.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.activation/activation/1.1/e6cb541461c2834bdea3eb920f1884d1eb508b50/activation-1.1.jarMD5: 8ae38e87cd4f86059c0294a8fe3e0b18SHA1: e6cb541461c2834bdea3eb920f1884d1eb508b50SHA256: 2881c79c9d6ef01c58e62beea13e9d1ac8b8baa16f2fc198ad6e6776defdcdd3Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest extension-name javax.activation Medium Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor jar package name sun Highest Vendor Manifest Implementation-Vendor Sun Microsystems, Inc. High Vendor jar package name javax Low Vendor file name activation High Vendor jar package name activation Highest Vendor gradle groupid javax.activation Highest Vendor jar package name javax Highest Vendor jar package name activation Low Vendor jar (hint) package name oracle Highest Product Manifest extension-name javax.activation Medium Product gradle artifactid activation Highest Product jar package name javax Highest Product jar package name activation Low Product file name activation High Product Manifest specification-title JavaBeans(TM) Activation Framework Specification Medium Product jar package name activation Highest Version file version 1.1 High Version Manifest Implementation-Version 1.1 High
aggdesigner-algorithm-6.0.jarDescription:
Algorithm that designs aggregate tables File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/aggdesigner-algorithm/6.0/bd0cd7ad1e3791a8a0929df0dcdbffc02fd0bab4/aggdesigner-algorithm-6.0.jarMD5: 4a49fceeeb87328bc23d9da4879112d6SHA1: bd0cd7ad1e3791a8a0929df0dcdbffc02fd0bab4SHA256: 9c06b3af57653eaf004231818cc8e91569d832d0b24ae1a8600daf023c050bfbReferenced In Projects/Scopes:
babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor file name aggdesigner-algorithm High Vendor jar package name aggregate Highest Vendor jar package name algorithm Highest Vendor pom parent-artifactid aggdesigner Low Vendor pom name Aggregate Designer Algorithm High Vendor jar package name pentaho Low Vendor gradle groupid net.hydromatic Highest Vendor pom groupid net.hydromatic Highest Vendor jar package name algorithm Low Vendor jar package name aggdes Low Vendor pom artifactid aggdesigner-algorithm Low Product gradle artifactid aggdesigner-algorithm Highest Product file name aggdesigner-algorithm High Product jar package name aggregate Highest Product jar package name algorithm Highest Product pom name Aggregate Designer Algorithm High Product pom parent-artifactid aggdesigner Medium Product pom artifactid aggdesigner-algorithm Highest Product pom groupid net.hydromatic Highest Product jar package name algorithm Low Product jar package name aggdes Low Version file version 6.0 High Version gradle version 6.0 Highest Version pom version 6.0 Highest
airline-0.7.jarDescription:
Java annotation-based framework for parsing Git like command line structures File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.airlift/airline/0.7/16edc11b7d2d09e2db512f8028f05b9c48532229/airline-0.7.jarMD5: 74da3d8dd81d16835097bcc094227430SHA1: 16edc11b7d2d09e2db512f8028f05b9c48532229SHA256: 2ebe3cc06cadee9273a9bdaff6b582e07c201c0bb44881760eed49861374756dReferenced In Projects/Scopes:
calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name airline High Vendor jar package name airlift Highest Vendor Manifest Implementation-Vendor-Id io.airlift Medium Vendor pom groupid io.airlift Highest Vendor pom parent-artifactid airbase Low Vendor pom name airline High Vendor gradle groupid io.airlift Highest Vendor pom artifactid airline Low Vendor jar package name command Highest Vendor pom url airlift/airline Highest Vendor jar package name io Highest Vendor jar package name airline Highest Product gradle artifactid airline Highest Product file name airline High Product Manifest specification-title airline Medium Product jar package name airlift Highest Product Manifest Implementation-Title airline High Product pom groupid io.airlift Highest Product pom artifactid airline Highest Product pom name airline High Product jar package name command Highest Product pom url airlift/airline High Product pom parent-artifactid airbase Medium Product jar package name io Highest Product jar package name airline Highest Version file version 0.7 High Version gradle version 0.7 Highest Version pom parent-version 0.7 Low Version Manifest Implementation-Version 0.7 High Version pom version 0.7 Highest
animal-sniffer-annotations-1.18.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.mojo/animal-sniffer-annotations/1.18/f7aa683ea79dc6681ee9fb95756c999acbb62f5d/animal-sniffer-annotations-1.18.jarMD5: f0a84f9b30590b3aa76edc893d6fe4ffSHA1: f7aa683ea79dc6681ee9fb95756c999acbb62f5dSHA256: 47f05852b48ee9baefef80fa3d8cea60efa4753c0013121dd7fe5eef2e5c729dReferenced In Projects/Scopes:
splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor pom parent-groupid org.codehaus.mojo Medium Vendor gradle groupid org.codehaus.mojo Highest Vendor pom artifactid animal-sniffer-annotations Low Vendor pom name Animal Sniffer Annotations High Vendor jar package name codehaus Low Vendor file name animal-sniffer-annotations High Vendor jar package name mojo Highest Vendor pom parent-artifactid animal-sniffer-parent Low Vendor pom groupid codehaus.mojo Highest Vendor jar package name mojo Low Vendor jar package name codehaus Highest Vendor jar package name animal_sniffer Low Product pom parent-groupid org.codehaus.mojo Medium Product jar package name ignorejrerequirement Low Product gradle artifactid animal-sniffer-annotations Highest Product pom name Animal Sniffer Annotations High Product file name animal-sniffer-annotations High Product jar package name mojo Highest Product pom groupid codehaus.mojo Highest Product pom artifactid animal-sniffer-annotations Highest Product jar package name mojo Low Product jar package name codehaus Highest Product jar package name animal_sniffer Low Product pom parent-artifactid animal-sniffer-parent Medium Version file version 1.18 High Version pom version 1.18 Highest Version gradle version 1.18 Highest
annotations-13.0.jarDescription:
A set of annotations used for code inspection support and code documentation. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains/annotations/13.0/919f0dfe192fb4e063e7dacadee7f8bb9a2672a9/annotations-13.0.jar
MD5: f4fb462172517b46b6cd90003508515a
SHA1: 919f0dfe192fb4e063e7dacadee7f8bb9a2672a9
SHA256: ace2a10dc8e2d5fd34925ecac03e4988b2c0f851650c94b8cef49ba1bd111478
Referenced In Projects/Scopes: core:kotlinCompilerClasspath core:kotlinCompilerPluginClasspath Evidence Type Source Name Value Confidence Vendor pom groupid jetbrains Highest Vendor pom artifactid annotations Low Vendor jar package name intellij Low Vendor jar package name intellij Highest Vendor jar package name jetbrains Highest Vendor gradle groupid org.jetbrains Highest Vendor pom url http://www.jetbrains.org Highest Vendor jar package name lang Low Vendor pom name IntelliJ IDEA Annotations High Vendor jar package name annotations Low Vendor jar package name annotations Highest Vendor file name annotations High Product pom groupid jetbrains Highest Product pom url http://www.jetbrains.org Medium Product jar package name annotations Highest Product gradle artifactid annotations Highest Product pom artifactid annotations Highest Product file name annotations High Product jar package name intellij Highest Product jar package name jetbrains Highest Product jar package name lang Low Product pom name IntelliJ IDEA Annotations High Product jar package name annotations Low Version file version 13.0 High Version pom version 13.0 Highest Version gradle version 13.0 Highest
annotations-2.0.3.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.code.findbugs/annotations/2.0.3/191383fa0deb88f393558eec231b206edc23aba0/annotations-2.0.3.jarMD5: 276433efe0027762cffb7e4adc9262daSHA1: 191383fa0deb88f393558eec231b206edc23aba0SHA256: 3ad1e8f838dbd6da3424a451d5d9262ea9c526eddb627b54b885cfd332efbc99Referenced In Projects/Scopes:
calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid com.google.code.findbugs Highest Vendor jar package name annotation Low Vendor jar package name javax Low Vendor file name annotations High Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-symbolicname findbugsAnnotations Medium Product gradle artifactid annotations Highest Product jar package name annotation Low Product file name annotations High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest Bundle-Name FindbugsAnnotations Medium Product Manifest bundle-symbolicname findbugsAnnotations Medium Version Manifest Bundle-Version 2.0.3 High Version file version 2.0.3 High Version file name annotations Medium Version gradle version 2.0.3 Highest
ant-1.6.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/ant/ant/1.6.5/7d18faf23df1a5c3a43613952e0e8a182664564b/ant-1.6.5.jarMD5: c5c499f1eef9367c657e89bb881c69aaSHA1: 7d18faf23df1a5c3a43613952e0e8a182664564bSHA256: f06a601c718a7c9262d74b7ec3baad14c82584e89235089b4f821d6a44d9e1e4Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor manifest: org/apache/tools/ant/ Implementation-Vendor Apache Software Foundation Medium Vendor gradle groupid ant Highest Vendor jar package name apache Highest Vendor file name ant High Vendor jar package name ant Low Vendor jar package name apache Low Vendor jar package name tools Low Product manifest: org/apache/tools/ant/ Implementation-Title org.apache.tools.ant Medium Product jar package name apache Highest Product file name ant High Product jar package name ant Low Product jar package name tools Highest Product jar package name ant Highest Product manifest: org/apache/tools/ant/ Specification-Title Apache Ant Medium Product jar package name tools Low Product gradle artifactid ant Highest Version file name ant Medium Version gradle version 1.6.5 Highest Version manifest: org/apache/tools/ant/ Implementation-Version 1.6.5 Medium Version file version 1.6.5 High
Published Vulnerabilities CVE-2020-1945 suppress
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. CWE-200 Information Exposure
CVSSv2:
Base Score: LOW (3.3) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.3) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions: (show all )
antlr-2.7.7.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/antlr/antlr/2.7.7/83cd2cd674a217ade95a4bb83a8a14f351f48bd0/antlr-2.7.7.jarMD5: f8f1352c52a4c6a500b597596501fc64SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0SHA256: 88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4cReferenced In Projects/Scopes:
piglet:compileClasspath splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle piglet:runtimeClasspath function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle piglet:default pig:default core:checkstyle server:checkstyle file:checkstyle calcite:sqllineClasspath geode:default geode:checkstyle geode:compileClasspath mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle pig:runtimeClasspath geode:runtimeClasspath pig:compileClasspath innodb:checkstyle Evidence Type Source Name Value Confidence Vendor gradle groupid antlr Highest Vendor jar package name antlr Low Vendor file name antlr High Product gradle artifactid antlr Highest Product file name antlr High Version file name antlr Medium Version file version 2.7.7 High Version gradle version 2.7.7 Highest
antlr-runtime-3.4.jarDescription:
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions. File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/antlr-runtime/3.4/8f011408269a8e42b8548687e137d8eeb56df4b4/antlr-runtime-3.4.jarMD5: 0e0318be407e51fdf7ba6777eabfdf73SHA1: 8f011408269a8e42b8548687e137d8eeb56df4b4SHA256: 5b7cf53b7b30b034023f58030c8147c433f2bee0fe7dec8fae6bebf3708c5a63Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid antlr-runtime Low Vendor pom url http://www.antlr.org Highest Vendor pom parent-artifactid antlr-master Low Vendor pom name Antlr 3.4 Runtime High Vendor pom groupid antlr Highest Vendor jar package name antlr Low Vendor jar package name runtime Low Vendor pom parent-groupid org.antlr Medium Vendor jar package name runtime Highest Vendor gradle groupid org.antlr Highest Vendor jar package name antlr Highest Vendor file name antlr-runtime High Product pom url http://www.antlr.org Medium Product pom parent-artifactid antlr-master Medium Product pom artifactid antlr-runtime Highest Product jar package name runtime Highest Product pom name Antlr 3.4 Runtime High Product gradle artifactid antlr-runtime Highest Product pom groupid antlr Highest Product jar package name antlr Highest Product file name antlr-runtime High Product jar package name runtime Low Product pom parent-groupid org.antlr Medium Version file version 3.4 High Version gradle version 3.4 Highest Version pom version 3.4 Highest
antlr-runtime-3.5.2.jarDescription:
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions. File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/antlr-runtime/3.5.2/cd9cd41361c155f3af0f653009dcecb08d8b4afd/antlr-runtime-3.5.2.jarMD5: 1fbbae2cb72530207c20b797bdabd029SHA1: cd9cd41361c155f3af0f653009dcecb08d8b4afdSHA256: ce3fc8ecb10f39e9a3cddcbb2ce350d272d9cd3d0b1e18e6fe73c3b9389c8734Referenced In Projects/Scopes:
file:compileClasspath file:runtimeClasspath calcite:sqllineClasspath csv:runtimeClasspath file:default csv:default Evidence Type Source Name Value Confidence Vendor pom artifactid antlr-runtime Low Vendor pom url http://www.antlr.org Highest Vendor pom parent-artifactid antlr-master Low Vendor pom groupid antlr Highest Vendor pom parent-groupid org.antlr Medium Vendor jar package name runtime Highest Vendor Manifest Implementation-Vendor ANTLR High Vendor gradle groupid org.antlr Highest Vendor jar package name antlr Highest Vendor pom name ANTLR 3 Runtime High Vendor file name antlr-runtime High Vendor Manifest Implementation-Vendor-Id org.antlr Medium Product pom url http://www.antlr.org Medium Product pom parent-artifactid antlr-master Medium Product jar package name runtime Highest Product pom artifactid antlr-runtime Highest Product gradle artifactid antlr-runtime Highest Product jar package name antlr Highest Product pom groupid antlr Highest Product pom name ANTLR 3 Runtime High Product file name antlr-runtime High Product Manifest Implementation-Title ANTLR 3 Runtime High Product pom parent-groupid org.antlr Medium Version Manifest Implementation-Version 3.5.2 High Version pom version 3.5.2 Highest Version gradle version 3.5.2 Highest Version file version 3.5.2 High
antlr4-runtime-4.7.2.jarDescription:
The ANTLR 4 Runtime License:
http://www.antlr.org/license.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/antlr4-runtime/4.7.2/e27d8ab4f984f9d186f54da984a6ab1cccac755e/antlr4-runtime-4.7.2.jar
MD5: 2592a7a5d7320ad5f6677bf41f77a101
SHA1: e27d8ab4f984f9d186f54da984a6ab1cccac755e
SHA256: 4c518b87d4bdff8b44cd8cbc1af816e944b62a3fe5b80b781501cf1f4759bbc4
Referenced In Projects/Scopes: splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor pom artifactid antlr4-runtime Low Vendor Manifest bundle-docurl http://www.antlr.org Low Vendor pom name ANTLR 4 Runtime High Vendor file name antlr4-runtime High Vendor Manifest implementation-url http://www.antlr.org/runtime/antlr4-runtime Low Vendor pom groupid antlr Highest Vendor pom parent-groupid org.antlr Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest automatic-module-name org.antlr.antlr4.runtime Medium Vendor jar package name runtime Highest Vendor Manifest Implementation-Vendor ANTLR High Vendor pom parent-artifactid antlr4-master Low Vendor gradle groupid org.antlr Highest Vendor jar package name antlr Highest Vendor Manifest bundle-symbolicname org.antlr.antlr4-runtime Medium Vendor Manifest Implementation-Vendor-Id org.antlr Medium Product Manifest bundle-docurl http://www.antlr.org Low Product pom name ANTLR 4 Runtime High Product file name antlr4-runtime High Product Manifest implementation-url http://www.antlr.org/runtime/antlr4-runtime Low Product pom groupid antlr Highest Product pom parent-groupid org.antlr Medium Product pom artifactid antlr4-runtime Highest Product pom parent-artifactid antlr4-master Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest Implementation-Title ANTLR 4 Runtime High Product Manifest automatic-module-name org.antlr.antlr4.runtime Medium Product jar package name runtime Highest Product gradle artifactid antlr4-runtime Highest Product jar package name antlr Highest Product Manifest bundle-symbolicname org.antlr.antlr4-runtime Medium Product Manifest Bundle-Name ANTLR 4 Runtime Medium Version gradle version 4.7.2 Highest Version Manifest Implementation-Version 4.7.2 High Version pom version 4.7.2 Highest Version Manifest Bundle-Version 4.7.2 High Version file version 4.7.2 High
aopalliance-1.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/aopalliance/aopalliance/1.0/235ba8b489512805ac13a8f9ea77a1ca5ebe3e8/aopalliance-1.0.jarMD5: 04177054e180d09e3998808efa0401c7SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8SHA256: 0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name aopalliance High Vendor jar package name intercept Low Vendor jar package name aopalliance Low Vendor gradle groupid aopalliance Highest Product gradle artifactid aopalliance Highest Product file name aopalliance High Product jar package name intercept Low Version file version 1.0 High Version file name aopalliance Medium Version gradle version 1.0 Highest
aopalliance-repackaged-2.4.0-b34.jarDescription:
Dependency Injection Kernel License:
https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2.external/aopalliance-repackaged/2.4.0-b34/3d5e856dbc91a3a2b0bcb3a3424f8b62421ae4cf/aopalliance-repackaged-2.4.0-b34.jar
MD5: 57983543b3574e117d6f03ceff5f238c
SHA1: 3d5e856dbc91a3a2b0bcb3a3424f8b62421ae4cf
SHA256: 5d3cb0cece722c7ba8ab987b931053cdbcb0cb12ad5c8c8a7691eb6f7e60a64b
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor pom artifactid aopalliance-repackaged Low Vendor pom name aopalliance version ${aopalliance.version} repackaged as a module High Vendor Manifest bundle-symbolicname org.glassfish.hk2.external.aopalliance-repackaged Medium Vendor gradle groupid org.glassfish.hk2.external Highest Vendor jar package name aopalliance Highest Vendor pom parent-groupid org.glassfish.hk2 Medium Vendor file name aopalliance-repackaged High Vendor pom groupid glassfish.hk2.external Highest Vendor pom parent-artifactid external Low Product Manifest bundle-docurl http://www.oracle.com Low Product pom name aopalliance version ${aopalliance.version} repackaged as a module High Product Manifest bundle-symbolicname org.glassfish.hk2.external.aopalliance-repackaged Medium Product jar package name aopalliance Highest Product gradle artifactid aopalliance-repackaged Highest Product pom parent-groupid org.glassfish.hk2 Medium Product pom parent-artifactid external Medium Product file name aopalliance-repackaged High Product Manifest Bundle-Name aopalliance version 1.0 repackaged as a module Medium Product pom groupid glassfish.hk2.external Highest Product pom artifactid aopalliance-repackaged Highest Version gradle version 2.4.0-b34 Highest Version pom version 2.4.0-b34 Highest
apacheds-i18n-2.0.0-M15.jarDescription:
Internationalization of errors and other messages License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.server/apacheds-i18n/2.0.0-M15/71c61c84683152ec2a6a65f3f96fe534e304fa22/apacheds-i18n-2.0.0-M15.jar
MD5: f5877c02fd56ade67713560e589c81b9
SHA1: 71c61c84683152ec2a6a65f3f96fe534e304fa22
SHA256: bd3b7cece7fc6364cbce32b9edd0e9628a3e889c6a93cdeff1b5e2131e2a007c
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name directory Highest Vendor Manifest bundle-symbolicname org.apache.directory.server.i18n Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name server Low Vendor jar package name directory Low Vendor jar package name apache Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor file name apacheds-i18n High Vendor jar package name i18n Highest Vendor jar package name server Highest Vendor jar package name apache Low Vendor gradle groupid org.apache.directory.server Highest Vendor Manifest Implementation-Vendor-Id org.apache.directory.server Medium Product jar package name directory Highest Product Manifest bundle-symbolicname org.apache.directory.server.i18n Medium Product Manifest Bundle-Name ApacheDS I18n Medium Product jar package name server Low Product jar package name directory Low Product Manifest Implementation-Title ApacheDS I18n High Product jar package name apache Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product file name apacheds-i18n High Product jar package name i18n Highest Product jar package name server Highest Product gradle artifactid apacheds-i18n Highest Product jar package name i18n Low Product Manifest specification-title ApacheDS I18n Medium Version Manifest Implementation-Version 2.0.0-M15 High Version file version 2.0.0.m15 High
Published Vulnerabilities CVE-2020-7791 suppress
This affects the package i18n before 2.1.15. Vulnerability arises out of insufficient handling of erroneous language tags in src/i18n/Concrete/TextLocalizer.cs and src/i18n/LocalizedApplication.cs. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions:
apacheds-kerberos-codec-2.0.0-M15.jarDescription:
The Kerberos protocol encoder/decoder module License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.server/apacheds-kerberos-codec/2.0.0-M15/1c16e4e477183641c5f0dd5cdecd27ec331bacb5/apacheds-kerberos-codec-2.0.0-M15.jar
MD5: 3118e22eac44e150c383df1d417772f4
SHA1: 1c16e4e477183641c5f0dd5cdecd27ec331bacb5
SHA256: 4996f5b72497e94dd86d64a370158c4fb0049eea9b17ff8b27a4671d6c136ded
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name directory Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name kerberos Highest Vendor jar package name directory Low Vendor file name apacheds-kerberos-codec High Vendor jar package name apache Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.directory.server.kerberos.codec Medium Vendor jar package name server Highest Vendor jar package name apache Low Vendor gradle groupid org.apache.directory.server Highest Vendor jar package name shared Low Vendor Manifest Implementation-Vendor-Id org.apache.directory.server Medium Product Manifest specification-title ApacheDS Protocol Kerberos Codec Medium Product jar package name directory Highest Product Manifest Bundle-Name ApacheDS Protocol Kerberos Codec Medium Product gradle artifactid apacheds-kerberos-codec Highest Product jar package name kerberos Highest Product jar package name directory Low Product Manifest Implementation-Title ApacheDS Protocol Kerberos Codec High Product file name apacheds-kerberos-codec High Product jar package name apache Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product jar package name kerberos Low Product Manifest bundle-symbolicname org.apache.directory.server.kerberos.codec Medium Product jar package name server Highest Product jar package name shared Low Version Manifest Implementation-Version 2.0.0-M15 High Version file version 2.0.0.m15 High
api-asn1-api-1.0.0-M20.jarDescription:
ASN.1 API License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.api/api-asn1-api/1.0.0-M20/5e6486ffa3125ba44dc410ead166e1d6ba8ac76d/api-asn1-api-1.0.0-M20.jar
MD5: cf4561832dab76e9f37461342ec18d17
SHA1: 5e6486ffa3125ba44dc410ead166e1d6ba8ac76d
SHA256: 484aaf4b888b0eb699d95bea265c2d5b6ebec951d70e5c5f7691cd52dd4c8298
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.directory.api Highest Vendor jar package name api Low Vendor jar package name directory Highest Vendor Manifest Implementation-Vendor-Id org.apache.directory.api Medium Vendor Manifest bundle-symbolicname org.apache.directory.api.asn1.api Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name directory Low Vendor file name api-asn1-api High Vendor jar package name apache Highest Vendor jar package name asn1 Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor jar package name api Highest Vendor jar package name apache Low Product Manifest Bundle-Name Apache Directory API ASN.1 API Medium Product jar package name api Low Product jar package name directory Highest Product Manifest bundle-symbolicname org.apache.directory.api.asn1.api Medium Product jar package name directory Low Product jar package name asn1 Low Product gradle artifactid api-asn1-api Highest Product file name api-asn1-api High Product jar package name apache Highest Product jar package name asn1 Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product jar package name api Highest Product Manifest Implementation-Title Apache Directory API ASN.1 API High Product Manifest specification-title Apache Directory API ASN.1 API Medium Version file version 1.0.0.m20 High Version Manifest Implementation-Version 1.0.0-M20 High
api-util-1.0.0-M20.jarDescription:
Utilities shared across this top level project License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.directory.api/api-util/1.0.0-M20/a871abf060b3cf83fc6dc4d7e3d151fce50ac3cb/api-util-1.0.0-M20.jar
MD5: 2c5a6722666882024becdd64301be492
SHA1: a871abf060b3cf83fc6dc4d7e3d151fce50ac3cb
SHA256: fd32fd047ccf143c58d093b58811aa81e539f8cf83c1187809f1a241a1df12d1
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.directory.api Highest Vendor file name api-util High Vendor jar package name directory Highest Vendor pom parent-groupid org.apache.directory.api Medium Vendor pom artifactid api-util Low Vendor Manifest bundle-symbolicname org.apache.directory.api.util Medium Vendor pom parent-artifactid api-parent Low Vendor pom name Apache Directory LDAP API Utilities High Vendor jar package name apache Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor jar package name util Highest Vendor jar package name api Highest Vendor pom groupid apache.directory.api Highest Product gradle artifactid api-util Highest Product file name api-util High Product Manifest Bundle-Name Apache Directory LDAP API Utilities Medium Product jar package name directory Highest Product pom parent-groupid org.apache.directory.api Medium Product Manifest bundle-symbolicname org.apache.directory.api.util Medium Product pom name Apache Directory LDAP API Utilities High Product jar package name apache Highest Product pom artifactid api-util Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product jar package name util Highest Product pom parent-artifactid api-parent Medium Product jar package name api Highest Product pom groupid apache.directory.api Highest Version gradle version 1.0.0-M20 Highest Version pom version 1.0.0-M20 Highest
Published Vulnerabilities CVE-2018-1337 suppress
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request). CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
apiguardian-api-1.1.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apiguardian/apiguardian-api/1.1.0/fc9dff4bb36d627bdc553de77e1f17efd790876c/apiguardian-api-1.1.0.jarMD5: 944805817b648e558ed6be6fc7f054f3SHA1: fc9dff4bb36d627bdc553de77e1f17efd790876cSHA256: a9aae9ff8ae3e17a2a18f79175e82b16267c246fbbd3ca9dfbbb290b08dcfdd4Referenced In Projects/Scopes:
cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor apiguardian.org High Vendor jar package name api Low Vendor file name apiguardian-api High Vendor Manifest build-date 2019-06-06 Low Vendor Manifest build-revision e7f98b22d3b2a54033711e2666a047d1066b0b25 Low Vendor Manifest specification-vendor apiguardian.org Low Vendor jar package name apiguardian Low Vendor jar package name apiguardian Highest Vendor gradle groupid org.apiguardian Highest Vendor Manifest build-time 21:07:38.516+0200 Low Product gradle artifactid apiguardian-api Highest Product Manifest Implementation-Title apiguardian-api High Product jar package name api Low Product file name apiguardian-api High Product Manifest build-date 2019-06-06 Low Product Manifest build-revision e7f98b22d3b2a54033711e2666a047d1066b0b25 Low Product jar package name apiguardian Highest Product Manifest specification-title apiguardian-api Medium Product Manifest build-time 21:07:38.516+0200 Low Version Manifest Implementation-Version 1.1.0 High Version file version 1.1.0 High
asm-3.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/asm/asm/3.1/c157def142714c544bdea2e6144645702adf7097/asm-3.1.jarMD5: b9b8d2d556f9458aac8c463fd511f86dSHA1: c157def142714c544bdea2e6144645702adf7097SHA256: 333ff5369043975b7e031b8b27206937441854738e038c1f47f98d072a20437aReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath piglet:default Evidence Type Source Name Value Confidence Vendor jar package name asm Low Vendor jar package name objectweb Low Vendor file name asm High Vendor Manifest Implementation-Vendor France Telecom R&D High Vendor gradle groupid asm Highest Product jar package name asm Low Product jar package name asm Highest Product Manifest Implementation-Title ASM High Product file name asm High Product gradle artifactid asm Highest Version file version 3.1 High Version Manifest Implementation-Version 3.1 High
asm-5.0.3.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm/5.0.3/dcc2193db20e19e1feca8b1240dbbc4e190824fa/asm-5.0.3.jarMD5: ccebee99fb8cdd50e1967680a2eac0baSHA1: dcc2193db20e19e1feca8b1240dbbc4e190824faSHA256: 71c4f78e437b8fdcd9cc0dfd2abea8c089eb677005a6a5cff320206cc52b46ccReferenced In Project/Scope: ubenchmark:jmh
Evidence Type Source Name Value Confidence Vendor jar package name asm Low Vendor jar package name asm Highest Vendor Manifest bundle-symbolicname org.objectweb.asm Medium Vendor Manifest bundle-docurl http://asm.objectweb.org Low Vendor jar package name objectweb Low Vendor file name asm High Vendor Manifest Implementation-Vendor France Telecom R&D High Vendor gradle groupid org.ow2.asm Highest Vendor jar package name objectweb Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.3 Low Product jar package name asm Low Product jar package name asm Highest Product Manifest Implementation-Title ASM High Product Manifest bundle-symbolicname org.objectweb.asm Medium Product Manifest bundle-docurl http://asm.objectweb.org Low Product file name asm High Product gradle artifactid asm Highest Product jar package name objectweb Highest Product Manifest Bundle-Name ASM Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.3 Low Version file version 5.0.3 High Version Manifest Implementation-Version 5.0.3 High
asm-7.2.jarLicense:
BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm/7.2/fa637eb67eb7628c915d73762b681ae7ff0b9731/asm-7.2.jar
MD5: 26cf10dfd4729fd22fcae0694e041167
SHA1: fa637eb67eb7628c915d73762b681ae7ff0b9731
SHA256: 7e6cc9e92eb94d04e39356c6d8144ca058cda961c344a7f62166a405f3206672
Referenced In Projects/Scopes: cassandra:compileClasspath babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name asm Low Vendor jar package name asm Highest Vendor Manifest bundle-docurl http://asm.ow2.org Low Vendor Manifest bundle-symbolicname org.objectweb.asm Medium Vendor jar package name objectweb Low Vendor file name asm High Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor gradle groupid org.ow2.asm Highest Vendor jar package name objectweb Highest Product Manifest Implementation-Title ASM, a very small and fast Java bytecode manipulation framework High Product jar package name asm Low Product jar package name asm Highest Product Manifest bundle-docurl http://asm.ow2.org Low Product Manifest bundle-symbolicname org.objectweb.asm Medium Product Manifest Bundle-Name org.objectweb.asm Medium Product file name asm High Product gradle artifactid asm Highest Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product jar package name objectweb Highest Version Manifest Implementation-Version 7.2 High Version file version 7.2 High
asm-analysis-7.2.jarLicense:
BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-analysis/7.2/b6e6abe057f23630113f4167c34bda7086691258/asm-analysis-7.2.jar
MD5: e0aa4ec0cfa837415818aac762ed5dc2
SHA1: b6e6abe057f23630113f4167c34bda7086691258
SHA256: be922aae60ff1ff1768e8e6544a38a7f92bd0a6d6b0b9791f94955d1bd453de2
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name tree Highest Vendor jar package name asm Highest Vendor Manifest bundle-docurl http://asm.ow2.org Low Vendor jar package name objectweb Low Vendor file name asm-analysis High Vendor jar package name analysis Highest Vendor jar package name objectweb Highest Vendor jar package name tree Low Vendor Manifest module-requires org.objectweb.asm.tree;transitive=true Low Vendor jar package name asm Low Vendor Manifest bundle-symbolicname org.objectweb.asm.tree.analysis Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor gradle groupid org.ow2.asm Highest Product jar package name tree Highest Product Manifest Bundle-Name org.objectweb.asm.tree.analysis Medium Product jar package name asm Highest Product Manifest bundle-docurl http://asm.ow2.org Low Product file name asm-analysis High Product jar package name analysis Highest Product jar package name objectweb Highest Product jar package name tree Low Product Manifest Implementation-Title Static code analysis API of ASM, a very small and fast Java bytecode manipulation framework High Product Manifest module-requires org.objectweb.asm.tree;transitive=true Low Product jar package name asm Low Product Manifest bundle-symbolicname org.objectweb.asm.tree.analysis Medium Product gradle artifactid asm-analysis Highest Product jar package name analysis Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Version Manifest Implementation-Version 7.2 High Version file version 7.2 High
asm-commons-7.2.jarLicense:
BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-commons/7.2/ca2954e8d92a05bacc28ff465b25c70e0f512497/asm-commons-7.2.jar
MD5: 321121317a6c6221cc26e8f9ee97022f
SHA1: ca2954e8d92a05bacc28ff465b25c70e0f512497
SHA256: 0e86b8b179c5fb223d1a880a0ff4960b6978223984b94e62e71135f2d8ea3558
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name asm Highest Vendor Manifest bundle-docurl http://asm.ow2.org Low Vendor Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true Low Vendor jar package name objectweb Low Vendor file name asm-commons High Vendor jar package name commons Low Vendor jar package name objectweb Highest Vendor jar package name commons Highest Vendor Manifest bundle-symbolicname org.objectweb.asm.commons Medium Vendor jar package name asm Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor gradle groupid org.ow2.asm Highest Product jar package name asm Highest Product Manifest bundle-docurl http://asm.ow2.org Low Product Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true Low Product file name asm-commons High Product jar package name commons Low Product jar package name objectweb Highest Product jar package name commons Highest Product Manifest bundle-symbolicname org.objectweb.asm.commons Medium Product jar package name asm Low Product Manifest Implementation-Title Usefull class adapters based on ASM, a very small and fast Java bytecode manipulation framework High Product Manifest Bundle-Name org.objectweb.asm.commons Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product gradle artifactid asm-commons Highest Version Manifest Implementation-Version 7.2 High Version file version 7.2 High
asm-tree-7.2.jarLicense:
BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-tree/7.2/3a23cc36edaf8fc5a89cb100182758ccb5991487/asm-tree-7.2.jar
MD5: c7214695c379f25861500e576a1f8cea
SHA1: 3a23cc36edaf8fc5a89cb100182758ccb5991487
SHA256: c063f5a67fa03cdc9bd79fd1c2ea6816cc4a19473ecdfbd9e9153b408c6f2656
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name tree Highest Vendor jar package name asm Highest Vendor Manifest bundle-docurl http://asm.ow2.org Low Vendor jar package name objectweb Low Vendor jar package name objectweb Highest Vendor jar package name tree Low Vendor file name asm-tree High Vendor jar package name asm Low Vendor Manifest module-requires org.objectweb.asm;transitive=true Low Vendor Manifest bundle-symbolicname org.objectweb.asm.tree Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor gradle groupid org.ow2.asm Highest Product jar package name tree Highest Product Manifest Implementation-Title Tree API of ASM, a very small and fast Java bytecode manipulation framework High Product jar package name asm Highest Product Manifest bundle-docurl http://asm.ow2.org Low Product jar package name objectweb Highest Product jar package name tree Low Product Manifest Bundle-Name org.objectweb.asm.tree Medium Product file name asm-tree High Product gradle artifactid asm-tree Highest Product jar package name asm Low Product Manifest module-requires org.objectweb.asm;transitive=true Low Product Manifest bundle-symbolicname org.objectweb.asm.tree Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Version Manifest Implementation-Version 7.2 High Version file version 7.2 High
asm-util-7.2.jarLicense:
BSD-3-Clause;link=https://asm.ow2.io/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.ow2.asm/asm-util/7.2/a3ae34e57fa8a4040e28247291d0cc3d6b8c7bcf/asm-util-7.2.jar
MD5: 0891d2562ab1db2a1d5fc013af9b40c5
SHA1: a3ae34e57fa8a4040e28247291d0cc3d6b8c7bcf
SHA256: 6e24913b021ffacfe8e7e053d6e0ccc731941148cfa078d4f1ed3d96904530f8
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name asm Highest Vendor Manifest bundle-docurl http://asm.ow2.org Low Vendor Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true Low Vendor jar package name objectweb Low Vendor file name asm-util High Vendor Manifest bundle-symbolicname org.objectweb.asm.util Medium Vendor jar package name objectweb Highest Vendor jar package name asm Low Vendor jar package name util Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor gradle groupid org.ow2.asm Highest Vendor jar package name util Low Product jar package name asm Highest Product Manifest bundle-docurl http://asm.ow2.org Low Product Manifest module-requires org.objectweb.asm;transitive=true,org.objectweb.asm.tree;transitive=true,org.objectweb.asm.tree.analysis;transitive=true Low Product gradle artifactid asm-util Highest Product file name asm-util High Product Manifest bundle-symbolicname org.objectweb.asm.util Medium Product jar package name objectweb Highest Product jar package name asm Low Product jar package name util Highest Product Manifest Bundle-Name org.objectweb.asm.util Medium Product Manifest Implementation-Title Utilities for ASM, a very small and fast Java bytecode manipulation framework High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product jar package name util Low Version Manifest Implementation-Version 7.2 High Version file version 7.2 High
automaton-1.11-8.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/dk.brics.automaton/automaton/1.11-8/6ebfa65eb431ff4b715a23be7a750cbc4cc96d0f/automaton-1.11-8.jarMD5: 3467dcbbba2fe68a4e07a5826988e034SHA1: 6ebfa65eb431ff4b715a23be7a750cbc4cc96d0fSHA256: a24475f6ccfe1cc7a4fe9e34e05ce687b0ce0c6e8cb781e0eced3b186482c61eReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name dk Low Vendor gradle groupid dk.brics.automaton Highest Vendor jar package name automaton Low Vendor file name automaton High Vendor jar package name brics Low Product jar package name automaton Low Product file name automaton High Product jar package name brics Low Product gradle artifactid automaton Highest Version file name automaton Medium Version gradle version 1.11-8 Highest Version file version 1.11.8 High
avatica-core-1.17.0.jarLicense:
Apache-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.calcite.avatica/avatica-core/1.17.0/d69e7e0f02610af0f432e5241d7a202ab48bf3cb/avatica-core-1.17.0.jar
MD5: 17281ec720a334d55458c9ae6aeb0392
SHA1: d69e7e0f02610af0f432e5241d7a202ab48bf3cb
SHA256: 0f6db960de59f23386792843fcd7e500007d2d8feab08cdead7a6bd07721c54d
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name avatica Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite.avatica Medium Vendor jar package name apache Highest Vendor jar package name avatica Highest Vendor jar package name calcite Low Vendor file name avatica-core High Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid org.apache.calcite.avatica Highest Vendor jar package name calcite Highest Vendor Manifest Implementation-Vendor Apache Software Foundation High Product jar package name avatica Low Product jar package name apache Highest Product jar package name avatica Highest Product Manifest specification-title Apache Calcite Avatica Medium Product gradle artifactid avatica-core Highest Product Manifest Implementation-Title Apache Calcite Avatica High Product jar package name calcite Low Product file name avatica-core High Product jar package name calcite Highest Version Manifest Implementation-Version 1.17.0 High Version file version 1.17.0 High
Published Vulnerabilities CVE-2020-13955 suppress
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
avatica-metrics-1.17.0.jarLicense:
Apache-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.calcite.avatica/avatica-metrics/1.17.0/c1c778095d3069504b17155c468169075c646e75/avatica-metrics-1.17.0.jar
MD5: f4c86c13e6b466e90b177fbc29328d58
SHA1: c1c778095d3069504b17155c468169075c646e75
SHA256: a3b5df76c52fa0cd93e17d6bccc149652c32163b97da995a8ec8c8690421a604
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name avatica Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite.avatica Medium Vendor jar package name apache Highest Vendor jar package name avatica Highest Vendor jar package name calcite Low Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid org.apache.calcite.avatica Highest Vendor jar package name calcite Highest Vendor file name avatica-metrics High Vendor Manifest Implementation-Vendor Apache Software Foundation High Product jar package name avatica Low Product jar package name apache Highest Product jar package name avatica Highest Product gradle artifactid avatica-metrics Highest Product jar package name metrics Low Product Manifest specification-title Apache Calcite Avatica Medium Product Manifest Implementation-Title Apache Calcite Avatica High Product jar package name calcite Low Product jar package name calcite Highest Product file name avatica-metrics High Version Manifest Implementation-Version 1.17.0 High Version file version 1.17.0 High
Published Vulnerabilities CVE-2020-13955 suppress
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
avatica-server-1.17.0.jarLicense:
Apache-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.calcite.avatica/avatica-server/1.17.0/cadc51ec46ac0586c94ec1740f1dcb200ef244ac/avatica-server-1.17.0.jar
MD5: 13029dd895bcd99343341131ff89bc97
SHA1: cadc51ec46ac0586c94ec1740f1dcb200ef244ac
SHA256: e6abe198723084664c027a018843e0fe18203eeb03a920b07b22aea739366806
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name avatica Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite.avatica Medium Vendor jar package name apache Highest Vendor jar package name avatica Highest Vendor file name avatica-server High Vendor jar package name calcite Low Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid org.apache.calcite.avatica Highest Vendor jar package name calcite Highest Vendor Manifest Implementation-Vendor Apache Software Foundation High Product jar package name avatica Low Product jar package name apache Highest Product jar package name avatica Highest Product Manifest specification-title Apache Calcite Avatica Medium Product file name avatica-server High Product Manifest Implementation-Title Apache Calcite Avatica High Product jar package name calcite Low Product jar package name calcite Highest Product jar package name server Low Product gradle artifactid avatica-server Highest Version Manifest Implementation-Version 1.17.0 High Version file version 1.17.0 High
Published Vulnerabilities CVE-2020-13955 suppress
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
avro-1.7.4.jarDescription:
Avro core components File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro/1.7.4/416e7030879814f52845b97f04bb50ecd1cef372/avro-1.7.4.jarMD5: de02dfb1f5880c0b422f215ffcaa3379SHA1: 416e7030879814f52845b97f04bb50ecd1cef372SHA256: a01d26e9a5ed0754e8c88dbb373fba896c57df0a0c424185767a3857855bb222Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid avro Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name avro Highest Vendor pom parent-artifactid avro-parent Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.avro Medium Vendor jar package name apache Highest Vendor file name avro High Vendor pom url http://avro.apache.org Highest Vendor gradle groupid org.apache.avro Highest Vendor Manifest Implementation-Vendor-Id org.apache.avro Medium Vendor pom groupid apache.avro Highest Vendor pom name Apache Avro High Product Manifest Implementation-Title Apache Avro High Product Manifest specification-title Apache Avro Medium Product pom url http://avro.apache.org Medium Product jar package name avro Highest Product pom parent-groupid org.apache.avro Medium Product jar package name apache Highest Product file name avro High Product pom parent-artifactid avro-parent Medium Product pom artifactid avro Highest Product gradle artifactid avro Highest Product pom groupid apache.avro Highest Product pom name Apache Avro High Version gradle version 1.7.4 Highest Version file version 1.7.4 High Version pom version 1.7.4 Highest Version Manifest Implementation-Version 1.7.4 High
avro-1.7.7.jarDescription:
Avro core components License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro/1.7.7/3548c0bc136e71006f3fc34e22d34a29e5069e50/avro-1.7.7.jar
MD5: e910e3a3bad0181b1e2e55856cf3ce83
SHA1: 3548c0bc136e71006f3fc34e22d34a29e5069e50
SHA256: 5ba0a81f4b0769122b6045b98bb9bbba5f2c69dbf736a6cc7ca4eb603c337487
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname avro Medium Vendor pom artifactid avro Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name avro Highest Vendor pom parent-artifactid avro-parent Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.avro Medium Vendor jar package name apache Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor file name avro High Vendor pom url http://avro.apache.org Highest Vendor gradle groupid org.apache.avro Highest Vendor Manifest Implementation-Vendor-Id org.apache.avro Medium Vendor pom groupid apache.avro Highest Vendor pom name Apache Avro High Product Manifest bundle-symbolicname avro Medium Product Manifest Implementation-Title Apache Avro High Product Manifest specification-title Apache Avro Medium Product pom url http://avro.apache.org Medium Product jar package name avro Highest Product Manifest Bundle-Name Apache Avro Medium Product pom parent-groupid org.apache.avro Medium Product jar package name apache Highest Product Manifest bundle-docurl http://www.apache.org/ Low Product file name avro High Product pom parent-artifactid avro-parent Medium Product pom artifactid avro Highest Product gradle artifactid avro Highest Product pom groupid apache.avro Highest Product pom name Apache Avro High Version file version 1.7.7 High Version pom version 1.7.7 Highest Version gradle version 1.7.7 Highest Version Manifest Implementation-Version 1.7.7 High Version Manifest Bundle-Version 1.7.7 High
avro-ipc-1.7.7-tests.jarDescription:
Avro inter-process communication components File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro-ipc/1.7.7/1ef0eeefcd80710085a95172819c78cf2cb7f13d/avro-ipc-1.7.7-tests.jarMD5: f09bac463cf1bdfb5eacbcf77f0e71f5SHA1: 1ef0eeefcd80710085a95172819c78cf2cb7f13dSHA256: 496c8137f1bc2e2fcaef8c42e4fe7aec02975d34487d413f7ad8cb8857626ddcReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Apache Avro IPC High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name avro Highest Vendor pom parent-artifactid avro-parent Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.avro Medium Vendor jar package name apache Highest Vendor jar package name ipc Highest Vendor file name avro-ipc High Vendor pom url http://avro.apache.org Highest Vendor gradle groupid org.apache.avro Highest Vendor Manifest Implementation-Vendor-Id org.apache.avro Medium Vendor pom groupid apache.avro Highest Vendor pom artifactid avro-ipc Low Product pom name Apache Avro IPC High Product pom artifactid avro-ipc Highest Product pom url http://avro.apache.org Medium Product gradle artifactid avro-ipc Highest Product jar package name avro Highest Product pom parent-groupid org.apache.avro Medium Product Manifest Implementation-Title Apache Avro IPC High Product jar package name apache Highest Product pom parent-artifactid avro-parent Medium Product jar package name ipc Highest Product file name avro-ipc High Product Manifest specification-title Apache Avro IPC Medium Product pom groupid apache.avro Highest Version file version 1.7.7 High Version pom version 1.7.7 Highest Version gradle version 1.7.7 Highest Version Manifest Implementation-Version 1.7.7 High
avro-ipc-1.7.7.jarDescription:
Avro inter-process communication components License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro-ipc/1.7.7/b754e613b8fbd8c81fb6fb250e658f6c16efbffa/avro-ipc-1.7.7.jar
MD5: fce7b2ae71c6a5dc996340b6cfa060f4
SHA1: b754e613b8fbd8c81fb6fb250e658f6c16efbffa
SHA256: 55d369313d9947a8f3250837526bdb90b7608101b4acc881c32f35fc16cc21e2
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Apache Avro IPC High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name avro Highest Vendor pom parent-artifactid avro-parent Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.avro Medium Vendor Manifest bundle-symbolicname avro-ipc Medium Vendor jar package name apache Highest Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor jar package name ipc Highest Vendor file name avro-ipc High Vendor pom url http://avro.apache.org Highest Vendor gradle groupid org.apache.avro Highest Vendor Manifest Implementation-Vendor-Id org.apache.avro Medium Vendor pom groupid apache.avro Highest Vendor pom artifactid avro-ipc Low Product pom name Apache Avro IPC High Product pom artifactid avro-ipc Highest Product pom url http://avro.apache.org Medium Product gradle artifactid avro-ipc Highest Product jar package name avro Highest Product Manifest Bundle-Name Apache Avro IPC Medium Product pom parent-groupid org.apache.avro Medium Product Manifest Implementation-Title Apache Avro IPC High Product jar package name apache Highest Product Manifest bundle-symbolicname avro-ipc Medium Product Manifest bundle-docurl http://www.apache.org/ Low Product pom parent-artifactid avro-parent Medium Product jar package name ipc Highest Product file name avro-ipc High Product Manifest specification-title Apache Avro IPC Medium Product pom groupid apache.avro Highest Version file version 1.7.7 High Version pom version 1.7.7 Highest Version gradle version 1.7.7 Highest Version Manifest Implementation-Version 1.7.7 High Version Manifest Bundle-Version 1.7.7 High
avro-mapred-1.7.7-hadoop2.jarDescription:
An org.apache.hadoop.mapred compatible API for using Avro Serializatin in Hadoop File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.avro/avro-mapred/1.7.7/d8f23aff4a3c827c6a35009c8182872bfc0e52f5/avro-mapred-1.7.7-hadoop2.jarMD5: 5c40924393b4a7e87a98c722cd1f0606SHA1: d8f23aff4a3c827c6a35009c8182872bfc0e52f5SHA256: c79cf519f4ee3d278b9cdf0b3814d686a911d1bc37c1626bc2bcb4bd279f4895Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid avro-mapred Low Vendor jar package name hadoop Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name mapred Highest Vendor jar package name avro Highest Vendor pom parent-artifactid avro-parent Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-groupid org.apache.avro Medium Vendor file name avro-mapred High Vendor jar package name apache Highest Vendor pom name Apache Avro Mapred API High Vendor gradle groupid org.apache.avro Highest Vendor Manifest Implementation-Vendor-Id org.apache.avro Medium Vendor pom groupid apache.avro Highest Product Manifest specification-title Apache Avro Mapred API Medium Product jar package name hadoop Highest Product Manifest Implementation-Title Apache Avro Mapred API High Product jar package name mapred Highest Product jar package name avro Highest Product pom parent-groupid org.apache.avro Medium Product file name avro-mapred High Product jar package name apache Highest Product pom artifactid avro-mapred Highest Product gradle artifactid avro-mapred Highest Product pom parent-artifactid avro-parent Medium Product pom name Apache Avro Mapred API High Product pom groupid apache.avro Highest Version file version 1.7.7 High Version pom version 1.7.7 Highest Version gradle version 1.7.7 Highest Version Manifest Implementation-Version 1.7.7 High
backport-util-concurrent-3.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/backport-util-concurrent/backport-util-concurrent/3.1/682f7ac17fed79e92f8e87d8455192b63376347b/backport-util-concurrent-3.1.jarMD5: 748bb0cbf4780b2e3121dc9c12e10cd9SHA1: 682f7ac17fed79e92f8e87d8455192b63376347bSHA256: f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902Referenced In Projects/Scopes:
file:compileClasspath file:runtimeClasspath calcite:sqllineClasspath csv:runtimeClasspath file:default csv:default Evidence Type Source Name Value Confidence Vendor file name backport-util-concurrent High Vendor jar package name edu Low Vendor jar package name emory Low Vendor gradle groupid backport-util-concurrent Highest Vendor jar package name mathcs Low Product file name backport-util-concurrent High Product gradle artifactid backport-util-concurrent Highest Product jar package name emory Low Product jar package name mathcs Low Product jar package name backport Low Version file version 3.1 High Version file name backport-util-concurrent Medium Version gradle version 3.1 Highest
base64-2.3.8.jarDescription:
A Java class providing very fast Base64 encoding and decoding
in the form of convenience methods and input/output streams.
License:
Public domain File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.iharder/base64/2.3.8/7d2e2cea90cc51169fd02a35888820ab07f6d02f/base64-2.3.8.jar
MD5: 9a9828f0caa016a2f3e0c90fe3af771b
SHA1: 7d2e2cea90cc51169fd02a35888820ab07f6d02f
SHA256: bbf41fda22877a538f6bc2d5ad0aa372a7ddf4a756af3386aa09d3d4eea84f7f
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid base64 Low Vendor gradle groupid net.iharder Highest Vendor jar package name net Highest Vendor jar package name net Low Vendor pom groupid net.iharder Highest Vendor jar package name iharder Low Vendor pom name base64 High Vendor pom url http://iharder.net/base64/ Highest Vendor jar package name base64 Highest Vendor jar package name iharder Highest Vendor file name base64 High Product jar package name net Highest Product pom artifactid base64 Highest Product pom groupid net.iharder Highest Product jar package name iharder Low Product gradle artifactid base64 Highest Product pom name base64 High Product pom url http://iharder.net/base64/ Medium Product jar package name base64 Highest Product jar package name iharder Highest Product file name base64 High Version file version 2.3.8 High Version gradle version 2.3.8 Highest Version pom version 2.3.8 Highest
bcprov-jdk15on-1.60.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.60/bd47ad3bd14b8e82595c7adaa143501e60842a84/bcprov-jdk15on-1.60.jarMD5: 435ff931af9ed4430d2a27456b0386b2SHA1: bd47ad3bd14b8e82595c7adaa143501e60842a84SHA256: 7f1a0e6badab38666f8467a9a0ee96656b2f8ec8623867ed34f3cdc173b7ee07Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname bcprov Medium Vendor Manifest originally-created-by 25.171-b11 (Oracle Corporation) Low Vendor file name bcprov-jdk15on High Vendor Manifest extension-name org.bouncycastle.bcprovider Medium Vendor Manifest caller-allowable-codebase * Low Vendor Manifest application-library-allowable-codebase * Low Vendor Manifest codebase * Low Vendor jar package name bouncycastle Low Vendor Manifest application-name Bouncy Castle Provider Medium Vendor Manifest specification-vendor BouncyCastle.org Low Vendor Manifest Implementation-Vendor BouncyCastle.org High Vendor Manifest Implementation-Vendor-Id org.bouncycastle Medium Vendor jar package name provider Highest Vendor jar package name bouncycastle Highest Vendor Manifest permissions all-permissions Low Vendor Manifest automatic-module-name org.bouncycastle.provider Medium Vendor gradle groupid org.bouncycastle Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest trusted-library true Low Product Manifest bundle-symbolicname bcprov Medium Product Manifest originally-created-by 25.171-b11 (Oracle Corporation) Low Product file name bcprov-jdk15on High Product Manifest extension-name org.bouncycastle.bcprovider Medium Product Manifest caller-allowable-codebase * Low Product Manifest application-library-allowable-codebase * Low Product Manifest codebase * Low Product Manifest application-name Bouncy Castle Provider Medium Product gradle artifactid bcprov-jdk15on Highest Product hint analyzer product legion-of-the-bouncy-castle-java-crytography-api High Product jar package name provider Highest Product Manifest permissions all-permissions Low Product jar package name bouncycastle Highest Product Manifest automatic-module-name org.bouncycastle.provider Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest Bundle-Name bcprov Medium Product Manifest trusted-library true Low Version Manifest Implementation-Version 1.60.0 High Version file version 1.60 High
Published Vulnerabilities CVE-2020-26939 suppress
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption. CWE-203 Information Exposure Through Discrepancy
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
bsh-2.0b4.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.beanshell/bsh/2.0b4/a05f0a0feefa8d8467ac80e16e7de071489f0d9c/bsh-2.0b4.jarMD5: a1c60aa83c9c9a6cb2391c1c1b85eb00SHA1: a05f0a0feefa8d8467ac80e16e7de071489f0d9cSHA256: 91395c07885839a8c6986d5b7c577cd9bacf01bf129c89141f35e8ea858427b6Referenced In Projects/Scopes:
babel:fmppClaspath server:fmppClaspath core:fmppClaspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor Pat Niemeyer (pat@pat.net) High Vendor jar package name bsh Low Vendor Manifest specification-vendor http://www.beanshell.org/ Low Vendor gradle groupid org.beanshell Highest Vendor hint analyzer vendor beanshell_project Highest Vendor file name bsh High Product hint analyzer product beanshell Highest Product gradle artifactid bsh Highest Product Manifest specification-title BeanShell Medium Product file name bsh High Version Manifest Implementation-Version 2.0b4 2005-05-23 11:49:20 High Version gradle version 2.0b4 Highest Version file version 2.0.b4 High Version file name bsh Medium
Published Vulnerabilities CVE-2016-2510 (OSSINDEX) suppress
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler. CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.beanshell:bsh:2.0b4:*:*:*:*:*:*:* calcite-babel-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/babel/build/libs/calcite-babel-1.27.0-SNAPSHOT.jar
MD5: a9c341167f2354704526f7987bba6d34
SHA1: 09eb40e5a183380b94e49e1a3f294355b9564c0a
SHA256: 932ff895f250523e953066d8e3cb85ca1660cf9723fd979fd1e0f005a9e59c82
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor file name calcite-babel High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name sql Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name parser Low Product jar package name calcite Low Product gradle artifactid babel Highest Product file name calcite-babel High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name sql Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-cassandra-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/cassandra/build/libs/calcite-cassandra-1.27.0-SNAPSHOT.jar
MD5: b36e40d094e656cb7c3649c9a02f07b5
SHA1: c460538001594b98010c30c98c37e0c3927060a8
SHA256: c9b5d5b8016f4413f408227820b3c9fdee90c39e2c321748af3d270d02c101ac
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor file name calcite-cassandra High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name calcite Low Product jar package name cassandra Low Product file name calcite-cassandra High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Product gradle artifactid cassandra Highest Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
Published Vulnerabilities CVE-2020-13946 suppress
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely. CWE-668 Exposure of Resource to Wrong Sphere
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
calcite-core-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/core/build/libs/calcite-core-1.27.0-SNAPSHOT.jar
MD5: 113305aa8972a4784033ecdabf53d99a
SHA1: b42f1fd1172d35f3f621188d072f09e72808ba4b
SHA256: 1efd29979e82c28a7c47feaa1608f2c9736b85e6b45c826df95b0313151f8182
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath druid:compileClasspath plus:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath calcite:sqllineClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor file name calcite-core High Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product gradle artifactid core Highest Product jar package name calcite Low Product file name calcite-core High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-druid-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/druid/build/libs/calcite-druid-1.27.0-SNAPSHOT.jar
MD5: 50e9ab2e98945f64614bbe95aba3e59b
SHA1: c2bfca773697bccb2d4d218a9d0167db4cda50df
SHA256: cd7ce3c9be4d1dd1191f9128c43e90b84e603fcf18f2f04acc3019d2fd1b035e
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor file name calcite-druid High Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product file name calcite-druid High Product jar package name calcite Low Product jar package name druid Low Product gradle artifactid druid Highest Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-elasticsearch-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/elasticsearch/build/libs/calcite-elasticsearch-1.27.0-SNAPSHOT.jar
MD5: 5f6062973305bf8ab81b0403f97dae2d
SHA1: 82e40b5d2f09793f208b386c918892006c16aa41
SHA256: 92776d571b7f9fcd7d80430cef5921a9c5101a26b3d26d8d7b3feaa6f80c5cc5
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor file name calcite-elasticsearch High Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name elasticsearch Low Product jar package name apache Highest Product jar package name calcite Low Product gradle artifactid elasticsearch Highest Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Product file name calcite-elasticsearch High Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-file-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/file/build/libs/calcite-file-1.27.0-SNAPSHOT.jar
MD5: fe8d14acc055d09b182edce74c8f8e40
SHA1: 56c4aa1bf21d2d3a66a41a185dca6949196f313e
SHA256: 5c9deb00ad74de1354ae9cb4907caeafc06d657e5dc71030ea99016e8172ca72
Referenced In Projects/Scopes: calcite:sqllineClasspath csv:compileClasspath csv:runtimeClasspath csv:default Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor file name calcite-file High Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name file Low Product jar package name apache Highest Product jar package name calcite Low Product file name calcite-file High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Product gradle artifactid file Highest Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-geode-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/geode/build/libs/calcite-geode-1.27.0-SNAPSHOT.jar
MD5: 313b474a73934bb2b22772a486cc992f
SHA1: 0fc1f5ba657c551b40ff56991da9b34523e70392
SHA256: 3560d728f77b4d7e14a8922b439e60d6fbab5d092bf537d65d1ab7321db23d11
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor file name calcite-geode High Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name geode Low Product jar package name calcite Low Product file name calcite-geode High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product gradle artifactid geode Highest Product jar package name adapter Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-innodb-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/innodb/build/libs/calcite-innodb-1.27.0-SNAPSHOT.jar
MD5: 6c06f60d001f44314cd9deff5976d6d1
SHA1: 5a926c9a7b2f960faf2dcb4e3f7eb6445d4847eb
SHA256: ca7fc8c9577e7b8e67ef6b51153a6289ec58e34a40a55008c26948e031d3c23f
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor file name calcite-innodb High Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name innodb Low Product file name calcite-innodb High Product jar package name calcite Low Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Product gradle artifactid innodb Highest Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-kafka-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/kafka/build/libs/calcite-kafka-1.27.0-SNAPSHOT.jar
MD5: 69bf6a9c2640cf31d0571982ecc88168
SHA1: ac01b0805affe004de6c64848126396a881a41a2
SHA256: 5f1755af035ab95442183b07be47b11d67112fbe21d3f556c0df973897ae5f67
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor file name calcite-kafka High Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product file name calcite-kafka High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name calcite Low Product jar package name kafka Low Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product gradle artifactid kafka Highest Product jar package name adapter Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
Published Vulnerabilities CVE-2018-17196 suppress
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation. Only authenticated clients with Write permission on the respective topics are able to exploit this vulnerability. Users should upgrade to 2.1.1 or later where this vulnerability has been fixed. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
calcite-linq4j-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/linq4j/build/libs/calcite-linq4j-1.27.0-SNAPSHOT.jar
MD5: aa77dd1c0e1d978193fba2a87aa7eeae
SHA1: a421394fda595e436505d75fae6587749766af87
SHA256: 424c734be61cfadc2489f73831d6ec4bd49fed75325e33c6fc438e88f2bf3739
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath druid:compileClasspath plus:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:apiDependenciesMetadata core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name linq4j Low Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor file name calcite-linq4j High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product gradle artifactid linq4j Highest Product jar package name linq4j Low Product jar package name calcite Low Product file name calcite-linq4j High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-mongodb-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/mongodb/build/libs/calcite-mongodb-1.27.0-SNAPSHOT.jar
MD5: 0b0a19fae6aee1434f001558a5a46a70
SHA1: 2e6ad4dbc9d0d3c13250f00d540ab54da1bc2eb5
SHA256: 4205da6f1cd594e7dc812d2fa01489bf13d138c6fda01b76e48d5c1444141f12
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor file name calcite-mongodb High Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name calcite Low Product file name calcite-mongodb High Product jar package name mongodb Low Product gradle artifactid mongodb Highest Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-pig-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/pig/build/libs/calcite-pig-1.27.0-SNAPSHOT.jar
MD5: fd504909c550767df47ceb0b669a4315
SHA1: a32dce7b43a96b83330025fbba23ad006f31db86
SHA256: b48b69c8a81de35590e10d92039950d908b2eae5f6a4baf652a54fa5741165ff
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor file name calcite-pig High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name calcite Low Product gradle artifactid pig Highest Product file name calcite-pig High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Product jar package name pig Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-piglet-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/piglet/build/libs/calcite-piglet-1.27.0-SNAPSHOT.jar
MD5: 59e48d95495dab0d1fa5b8401d84e09f
SHA1: 7a3ea426927ba73c5fba70dd66130cdd53032b80
SHA256: e31b238ba3ce5156c2261f66d98df92cfcd3024fbbef125682cf6c258c19ef77
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor jar package name piglet Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name calcite-piglet High Vendor jar package name calcite Highest Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product gradle artifactid piglet Highest Product jar package name calcite Low Product jar package name piglet Low Product file name calcite-piglet High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-plus-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/plus/build/libs/calcite-plus-1.27.0-SNAPSHOT.jar
MD5: ebfd19702a51b962cbdf860088dc8a3c
SHA1: e14e9444c9a09410530c3a018ada530a997ff152
SHA256: 5f6785a80e7ceec0b9e37b7b97827db92ace4d2b62ff5a75c9af4410fadcbb70
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor file name calcite-plus High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product jar package name apache Highest Product jar package name calcite Low Product gradle artifactid plus Highest Product file name calcite-plus High Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Product jar package name os Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-redis-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/redis/build/libs/calcite-redis-1.27.0-SNAPSHOT.jar
MD5: 178187a9f3814e90db417b02ec9eaf6d
SHA1: 24d53daa938f5da71826b2d944d136c49d0d400b
SHA256: 5ba3978fc3c8406fb4866711d2df410d702f7c2461839b6b5cb41106384b22b2
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor file name calcite-redis High Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product file name calcite-redis High Product gradle artifactid redis Highest Product jar package name apache Highest Product jar package name redis Low Product jar package name calcite Low Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
calcite-spark-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/spark/build/libs/calcite-spark-1.27.0-SNAPSHOT.jar
MD5: 75d3c36f4efc32f38fd99f0e4b189733
SHA1: deea01c29c234241350fad9ad51f21850544d5db
SHA256: cff097e1b48e58fe9db65a4d3ede842dceadf981dfc809baff5016018b1ea043
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor file name calcite-spark High Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product gradle artifactid spark Highest Product file name calcite-spark High Product jar package name apache Highest Product jar package name spark Low Product jar package name calcite Low Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
Published Vulnerabilities CVE-2017-7678 suppress
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11770 suppress
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (4.9) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.2) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11804 suppress
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2018-1334 suppress
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. CWE-200 Information Exposure
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.7) Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
calcite-splunk-1.27.0-SNAPSHOT.jarLicense:
Apache-2.0 File Path: /home/stamatis/Projects/Apache/calcite/splunk/build/libs/calcite-splunk-1.27.0-SNAPSHOT.jar
MD5: ce109a023797fbb7c173318ad21f07de
SHA1: 0a0d5ce7cbc8621af9bc544a53a3ce7394d50dd2
SHA256: 1ce916d144d379ddb658e528972aedea96b5bb1411ac85059cc12d848d0f085a
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.calcite Highest Vendor file name calcite-splunk High Vendor jar package name apache Highest Vendor jar package name calcite Low Vendor Manifest Implementation-Vendor-Id org.apache.calcite Medium Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name calcite Highest Vendor jar package name adapter Low Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest Implementation-Title Apache Calcite High Product gradle artifactid splunk Highest Product file name calcite-splunk High Product jar package name apache Highest Product jar package name calcite Low Product jar package name splunk Low Product jar package name calcite Highest Product Manifest specification-title Apache Calcite Medium Product jar package name adapter Low Version file version 1.27.0.snapshot High Version Manifest Implementation-Version 1.27.0-SNAPSHOT High
cassandra-driver-core-3.6.0.jarDescription:
A driver for Apache Cassandra 1.2+ that works exclusively with the Cassandra Query Language version 3
(CQL3) and Cassandra's binary protocol.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.datastax.cassandra/cassandra-driver-core/3.6.0/1d689ae757862f7c497dd6b186793d1bf921fd28/cassandra-driver-core-3.6.0.jar
MD5: 9df692b40e6988a343416faadfa44447
SHA1: 1d689ae757862f7c497dd6b186793d1bf921fd28
SHA256: 98c47402b32e2dd78b2b2f4346087d0548f467f81f5be418ffdb229767a22a17
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom groupid datastax.cassandra Highest Vendor pom parent-artifactid cassandra-driver-parent Low Vendor jar package name driver Highest Vendor file name cassandra-driver-core High Vendor jar package name datastax Highest Vendor pom artifactid cassandra-driver-core Low Vendor jar package name core Highest Vendor pom parent-groupid com.datastax.cassandra Medium Vendor gradle groupid com.datastax.cassandra Highest Vendor Manifest bundle-symbolicname com.datastax.driver.core Medium Vendor pom name DataStax Java Driver for Apache Cassandra - Core High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom groupid datastax.cassandra Highest Product jar package name driver Highest Product file name cassandra-driver-core High Product jar package name datastax Highest Product jar package name core Highest Product pom parent-groupid com.datastax.cassandra Medium Product pom parent-artifactid cassandra-driver-parent Medium Product Manifest Bundle-Name DataStax Java Driver for Apache Cassandra - Core Medium Product Manifest bundle-symbolicname com.datastax.driver.core Medium Product pom name DataStax Java Driver for Apache Cassandra - Core High Product pom artifactid cassandra-driver-core Highest Product gradle artifactid cassandra-driver-core Highest Version pom version 3.6.0 Highest Version Manifest Bundle-Version 3.6.0 High Version file version 3.6.0 High Version gradle version 3.6.0 Highest
cglib-2.2.1-v20090111.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.sonatype.sisu.inject/cglib/2.2.1-v20090111/7ce5e983fd0e6c78346f4c9cbfa39d83049dda2/cglib-2.2.1-v20090111.jarMD5: 88af5931165ac8becab84a157c9bace0SHA1: 07ce5e983fd0e6c78346f4c9cbfa39d83049dda2SHA256: 42e1dfb26becbf1a633f25b47e39fcc422b85e77e4c0468d9a44f885f5fa0be2Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.sonatype.sisu.inject Highest Vendor jar package name net Low Vendor file name cglib High Vendor jar package name cglib Low Vendor jar package name sf Low Product file name cglib High Product jar package name cglib Low Product gradle artifactid cglib Highest Product jar package name sf Low Version file name cglib Medium Version gradle version 2.2.1-v20090111 Highest Version file version 2.2.1.v20090111 High
checker-qual-2.8.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.checkerframework/checker-qual/2.8.1/eb2e8ab75598548cc8acf9a1ca227e480e01881e/checker-qual-2.8.1.jarMD5: e1c060246b024c4f260c6904e55a62a3SHA1: eb2e8ab75598548cc8acf9a1ca227e480e01881eSHA256: 9103499008bcecd4e948da29b17864abb64304e15706444ae209d17ebe0575dfReferenced In Projects/Scopes:
splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor Manifest automatic-module-name org.checkerframework.checker.qual Medium Vendor jar package name checkerframework Highest Vendor Manifest bundle-symbolicname checker-qual Medium Vendor jar package name checker Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest implementation-url https://checkerframework.org Low Vendor jar package name qual Highest Vendor jar package name checker Highest Vendor file name checker-qual High Vendor jar package name checkerframework Low Vendor gradle groupid org.checkerframework Highest Product jar package name checkerframework Highest Product Manifest Bundle-Name checker-qual Medium Product Manifest implementation-url https://checkerframework.org Low Product file name checker-qual High Product Manifest automatic-module-name org.checkerframework.checker.qual Medium Product jar package name qual Low Product Manifest bundle-symbolicname checker-qual Medium Product jar package name checker Low Product gradle artifactid checker-qual Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name qual Highest Product jar package name checker Highest Version Manifest Implementation-Version 2.8.1 High Version file version 2.8.1 High
checker-qual-3.10.0.jarLicense:
MIT File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.checkerframework/checker-qual/3.10.0/710fd6abff4b26b40dc0917050dc4c67efcf60b6/checker-qual-3.10.0.jar
MD5: d7e964cf19235ee401c48383306aec86
SHA1: 710fd6abff4b26b40dc0917050dc4c67efcf60b6
SHA256: a4dc882ca6aac496d33381e5e5eb0604c45483b004bc3eac9368f1bb17cb2512
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest automatic-module-name org.checkerframework.checker.qual Medium Vendor jar package name checkerframework Highest Vendor Manifest bundle-symbolicname checker-qual Medium Vendor jar package name checker Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest implementation-url https://checkerframework.org Low Vendor jar package name qual Highest Vendor jar package name checker Highest Vendor file name checker-qual High Vendor jar package name checkerframework Low Vendor gradle groupid org.checkerframework Highest Product jar package name checkerframework Highest Product Manifest Bundle-Name checker-qual Medium Product Manifest implementation-url https://checkerframework.org Low Product file name checker-qual High Product Manifest automatic-module-name org.checkerframework.checker.qual Medium Product jar package name qual Low Product Manifest bundle-symbolicname checker-qual Medium Product jar package name checker Low Product gradle artifactid checker-qual Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name qual Highest Product jar package name checker Highest Version Manifest Implementation-Version 3.10.0 High Version file version 3.10.0 High
checkstyle-8.28.jarDescription:
Checkstyle is a development tool to help programmers write Java code
that adheres to a coding standard
License:
LGPL-2.1+: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.puppycrawl.tools/checkstyle/8.28/f3c2dbcd412b6963dad8a10f441ca2c2d80e5141/checkstyle-8.28.jar
MD5: 1daec82b7364d09cee02c033a16cd651
SHA1: f3c2dbcd412b6963dad8a10f441ca2c2d80e5141
SHA256: aa79665b6dccd2a76f76599bd61b28f8daf2ff60afdba9adc130c7134b86ec33
Referenced In Projects/Scopes: splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor jar package name checkstyle Highest Vendor pom name checkstyle High Vendor pom url https://checkstyle.org/ Highest Vendor gradle groupid com.puppycrawl.tools Highest Vendor pom groupid puppycrawl.tools Highest Vendor Manifest build-jdk-spec 1.8 Low Vendor jar package name puppycrawl Highest Vendor jar package name tools Highest Vendor pom artifactid checkstyle Low Vendor file name checkstyle High Product pom url https://checkstyle.org/ Medium Product pom groupid puppycrawl.tools Highest Product gradle artifactid checkstyle Highest Product Manifest build-jdk-spec 1.8 Low Product jar package name puppycrawl Highest Product pom artifactid checkstyle Highest Product jar package name checkstyle Highest Product pom name checkstyle High Product jar package name tools Highest Product Manifest specification-title checkstyle Medium Product file name checkstyle High Product Manifest Implementation-Title checkstyle High Version Manifest Implementation-Version 8.28 High Version gradle version 8.28 Highest Version file version 8.28 High Version pom version 8.28 Highest
Published Vulnerabilities CVE-2019-10782 suppress
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
chill-java-0.8.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.twitter/chill-java/0.8.0/7ab1c85ae80f25c6e6d4aab720ff9394a5ac4d5d/chill-java-0.8.0.jarMD5: bdcfcfdbe1d37933f199bae56864b7d3SHA1: 7ab1c85ae80f25c6e6d4aab720ff9394a5ac4d5dSHA256: 35437ca2491823b74df3f9e98b2534a7fc853c562bf0969db12e21372a4f5e59Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name chill-java High Vendor jar package name chill Low Vendor jar package name twitter Highest Vendor Manifest specification-vendor com.twitter Low Vendor jar package name twitter Low Vendor gradle groupid com.twitter Highest Vendor Manifest Implementation-Vendor-Id com.twitter Medium Vendor Manifest Implementation-Vendor com.twitter High Product file name chill-java High Product gradle artifactid chill-java Highest Product jar package name chill Low Product jar package name java Highest Product Manifest specification-title chill-java Medium Product Manifest Implementation-Title chill-java High Product jar package name chill Highest Version file version 0.8.0 High Version Manifest Implementation-Version 0.8.0 High
chill_2.10-0.8.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.twitter/chill_2.10/0.8.0/3646b3c6dec9e13d1bde44e7a5ba95f7198dfca8/chill_2.10-0.8.0.jarMD5: 0d7eeabeac168edb9c2ce6aa00d063c1SHA1: 3646b3c6dec9e13d1bde44e7a5ba95f7198dfca8SHA256: 766dffe1c5dee37ace70484e59b4f1841265355f8ef3af93e2febc8a77b8cb7cReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name chill_2.10-0.8.0 High Vendor jar package name chill Low Vendor jar package name twitter Highest Vendor Manifest specification-vendor com.twitter Low Vendor jar package name twitter Low Vendor gradle groupid com.twitter Highest Vendor Manifest Implementation-Vendor-Id com.twitter Medium Vendor Manifest Implementation-Vendor com.twitter High Product file name chill_2.10-0.8.0 High Product Manifest Implementation-Title chill High Product gradle artifactid chill_2.10 Highest Product jar package name chill Low Product Manifest specification-title chill Medium Product jar package name chill Highest Version Manifest Implementation-Version 0.8.0 High Version gradle version 0.8.0 Highest
chinook-data-hsqldb-0.1.jarDescription:
Chinook data set in hsqldb format License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/chinook-data-hsqldb/0.1/b53eb2e341198bb65ab4b28c415a872281802055/chinook-data-hsqldb-0.1.jar
MD5: a1f946559b62d4a2ca0df1fbcc1b0f5e
SHA1: b53eb2e341198bb65ab4b28c415a872281802055
SHA256: 01e410d531007d24dbd0ce135a11a734052c855e453da474ee12dd10b7999018
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name chinook Highest Vendor jar package name net Highest Vendor pom name chinook-data-hsqldb High Vendor jar package name hydromatic Highest Vendor pom artifactid chinook-data-hsqldb Low Vendor jar package name data Highest Vendor pom organization url http://www.hydromatic.net Medium Vendor gradle groupid net.hydromatic Highest Vendor pom groupid net.hydromatic Highest Vendor file name chinook-data-hsqldb High Vendor pom parent-artifactid parent Low Vendor pom url http://github.com/julianhyde/chinook-data-hsqldb Highest Vendor jar package name chinook Low Vendor jar package name net Low Vendor pom organization name Julian Hyde High Vendor jar package name hydromatic Low Product jar package name chinook Highest Product pom parent-artifactid parent Medium Product pom organization name Julian Hyde Low Product jar package name net Highest Product pom name chinook-data-hsqldb High Product jar package name hydromatic Highest Product jar package name data Highest Product pom artifactid chinook-data-hsqldb Highest Product pom groupid net.hydromatic Highest Product file name chinook-data-hsqldb High Product pom url http://github.com/julianhyde/chinook-data-hsqldb Medium Product jar package name chinook Low Product gradle artifactid chinook-data-hsqldb Highest Product jar package name hydromatic Low Product pom organization url http://www.hydromatic.net Low Product jar package name data Low Version gradle version 0.1 Highest Version pom version 0.1 Highest Version file version 0.1 High
classgraph-4.0.6.jarDescription:
Uber-fast, ultra-lightweight Java classpath and module path scanner (formerly named FastClasspathScanner). https://github.com/classgraph/classgraph
License:
The MIT License (MIT): http://opensource.org/licenses/MIT File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.github.classgraph/classgraph/4.0.6/7fe1e7464ffd40c7333b8bbf53c4d73a7cbd7b4c/classgraph-4.0.6.jar
MD5: 7d170febb87aa7994272308df5c801b5
SHA1: 7fe1e7464ffd40c7333b8bbf53c4d73a7cbd7b4c
SHA256: b88663a3c775262afad6450d4670fc7c6afa64f4933db0d75e94d66f14230ef7
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest implementation-url https://github.com/classgraph/classgraph Low Vendor gradle groupid io.github.classgraph Highest Vendor jar package name github Highest Vendor pom url classgraph/classgraph Highest Vendor pom groupid io.github.classgraph Highest Vendor Manifest bundle-symbolicname io.github.classgraph.classgraph Medium Vendor jar package name scanner Highest Vendor pom name ClassGraph High Vendor file name classgraph High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor jar package name io Highest Vendor Manifest Implementation-Vendor-Id io.github.classgraph Medium Vendor jar package name classgraph Highest Vendor pom artifactid classgraph Low Vendor Manifest bundle-category Utilities Low Product Manifest implementation-url https://github.com/classgraph/classgraph Low Product pom url classgraph/classgraph High Product jar package name github Highest Product pom groupid io.github.classgraph Highest Product pom artifactid classgraph Highest Product jar package name scanner Highest Product Manifest bundle-symbolicname io.github.classgraph.classgraph Medium Product pom name ClassGraph High Product Manifest Implementation-Title ClassGraph High Product gradle artifactid classgraph Highest Product file name classgraph High Product Manifest specification-title ClassGraph Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest Bundle-Name ClassGraph Medium Product jar package name io Highest Product jar package name classgraph Highest Product Manifest bundle-category Utilities Low Version file version 4.0.6 High Version pom version 4.0.6 Highest Version Manifest Implementation-Version 4.0.6 High Version gradle version 4.0.6 Highest Version Manifest Bundle-Version 4.0.6 High
commons-beanutils-1.7.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils/1.7.0/5675fd96b29656504b86029551973d60fb41339b/commons-beanutils-1.7.0.jarMD5: 0f18acf5fa857f9959675e14d901a7ceSHA1: 5675fd96b29656504b86029551973d60fb41339bSHA256: 24bcaa20ccbdc7c856ce0c0aea144566943403e2e9f27bd9779cda1d76823ef4Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid commons-beanutils Highest Vendor jar package name commons Highest Vendor Manifest specification-vendor Apache Software Foundation Low Vendor jar package name apache Highest Vendor Manifest extension-name org.apache.commons.beanutils Medium Vendor jar package name beanutils Highest Vendor jar package name beanutils Low Vendor jar package name apache Low Vendor jar package name commons Low Vendor file name commons-beanutils High Vendor Manifest Implementation-Vendor Apache Software Foundation High Product jar package name commons Highest Product jar package name apache Highest Product Manifest specification-title Jakarta Commons Beanutils Medium Product Manifest extension-name org.apache.commons.beanutils Medium Product gradle artifactid commons-beanutils Highest Product jar package name beanutils Highest Product jar package name beanutils Low Product jar package name commons Low Product file name commons-beanutils High Product Manifest Implementation-Title org.apache.commons.beanutils High Version gradle version 1.7.0 Highest Version file name commons-beanutils Medium Version Manifest Implementation-Version 1.6 High Version file version 1.7.0 High
Published Vulnerabilities CVE-2014-0114 suppress
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-10086 suppress
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L References:
Vulnerable Software & Versions: (show all )
commons-beanutils-1.9.3.jarDescription:
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils/1.9.3/c845703de334ddc6b4b3cd26835458cb1cba1f3d/commons-beanutils-1.9.3.jar
MD5: 4a105c9d029a7edc6f2b16567d37eab6
SHA1: c845703de334ddc6b4b3cd26835458cb1cba1f3d
SHA256: c058e39c7c64203d3a448f3adb588cb03d6378ed808485618f26e137f29dae73
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid commons-beanutils Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom name Apache Commons BeanUtils High Vendor Manifest bundle-symbolicname org.apache.commons.beanutils Medium Vendor Manifest implementation-build tags/BEANUTILS_1_9_3_RC3@r1761785; 2016-09-21 16:19:55+0000 Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom url https://commons.apache.org/proper/commons-beanutils/ Highest Vendor pom artifactid commons-beanutils Low Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-beanutils/ Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name commons-beanutils High Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor pom groupid commons-beanutils Highest Vendor Manifest implementation-url https://commons.apache.org/proper/commons-beanutils/ Low Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name beanutils Highest Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Product Manifest Bundle-Name Apache Commons BeanUtils Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom name Apache Commons BeanUtils High Product Manifest bundle-symbolicname org.apache.commons.beanutils Medium Product Manifest implementation-build tags/BEANUTILS_1_9_3_RC3@r1761785; 2016-09-21 16:19:55+0000 Low Product Manifest Implementation-Title Apache Commons BeanUtils High Product pom artifactid commons-beanutils Highest Product pom parent-artifactid commons-parent Medium Product pom url https://commons.apache.org/proper/commons-beanutils/ Medium Product Manifest bundle-docurl https://commons.apache.org/proper/commons-beanutils/ Low Product Manifest specification-title Apache Commons BeanUtils Medium Product file name commons-beanutils High Product jar package name commons Highest Product jar package name apache Highest Product pom groupid commons-beanutils Highest Product Manifest implementation-url https://commons.apache.org/proper/commons-beanutils/ Low Product pom parent-groupid org.apache.commons Medium Product gradle artifactid commons-beanutils Highest Product jar package name beanutils Highest Version pom parent-version 1.9.3 Low Version Manifest Implementation-Version 1.9.3 High Version gradle version 1.9.3 Highest Version pom version 1.9.3 Highest Version Manifest Bundle-Version 1.9.3 High Version file version 1.9.3 High
Published Vulnerabilities CVE-2019-10086 suppress
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L References:
Vulnerable Software & Versions: (show all )
commons-beanutils-1.9.4.jarDescription:
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils/1.9.4/d52b9abcd97f38c81342bb7e7ae1eee9b73cba51/commons-beanutils-1.9.4.jar
MD5: 07dc532ee316fe1f2f0323e9bd2f8df4
SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
SHA256: 7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a
Referenced In Projects/Scopes: splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor gradle groupid commons-beanutils Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-beanutils Medium Vendor pom name Apache Commons BeanUtils High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom url https://commons.apache.org/proper/commons-beanutils/ Highest Vendor pom artifactid commons-beanutils Low Vendor Manifest bundle-docurl https://commons.apache.org/proper/commons-beanutils/ Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name commons-beanutils High Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor pom groupid commons-beanutils Highest Vendor Manifest implementation-url https://commons.apache.org/proper/commons-beanutils/ Low Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name beanutils Highest Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest implementation-build UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000 Low Product Manifest Bundle-Name Apache Commons BeanUtils Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-symbolicname org.apache.commons.commons-beanutils Medium Product pom name Apache Commons BeanUtils High Product Manifest Implementation-Title Apache Commons BeanUtils High Product pom artifactid commons-beanutils Highest Product pom parent-artifactid commons-parent Medium Product pom url https://commons.apache.org/proper/commons-beanutils/ Medium Product Manifest bundle-docurl https://commons.apache.org/proper/commons-beanutils/ Low Product Manifest specification-title Apache Commons BeanUtils Medium Product file name commons-beanutils High Product jar package name commons Highest Product jar package name apache Highest Product pom groupid commons-beanutils Highest Product Manifest implementation-url https://commons.apache.org/proper/commons-beanutils/ Low Product pom parent-groupid org.apache.commons Medium Product gradle artifactid commons-beanutils Highest Product jar package name beanutils Highest Product Manifest implementation-build UNKNOWN_BRANCH@r??????; 2019-07-28 22:14:44+0000 Low Version gradle version 1.9.4 Highest Version pom parent-version 1.9.4 Low Version Manifest Implementation-Version 1.9.4 High Version Manifest Bundle-Version 1.9.4 High Version pom version 1.9.4 Highest Version file version 1.9.4 High
commons-beanutils-core-1.8.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils-core/1.8.0/175dc721f87e4bc5cc0573f990e28c3cf9117508/commons-beanutils-core-1.8.0.jarMD5: a33ba25ae637909a97a60ff1d1b38857SHA1: 175dc721f87e4bc5cc0573f990e28c3cf9117508SHA256: 9038c7ddc61d3d8089eb5a52a24b430a202617d57d2d344a93b68e4eafefefdeReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid commons-beanutils Highest Vendor jar package name apache Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name beanutils Low Vendor file name commons-beanutils-core High Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name commons Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Product jar package name commons Highest Product Manifest Implementation-Title Commons BeanUtils Core High Product jar package name beanutils Highest Product gradle artifactid commons-beanutils-core Highest Product jar package name beanutils Low Product file name commons-beanutils-core High Product Manifest specification-title Commons BeanUtils Core Medium Product jar package name commons Low Version Manifest Implementation-Version 1.8.0 High Version file version 1.8.0 High
Published Vulnerabilities CVE-2014-0114 suppress
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2019-10086 suppress
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L References:
Vulnerable Software & Versions: (show all )
commons-cli-1.2.jarDescription:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-cli/commons-cli/1.2/2bf96b7aa8b611c177d329452af1dc933e14501c/commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256: e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath spark:default spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom name Commons CLI High Vendor Manifest bundle-symbolicname org.apache.commons.cli Medium Vendor Manifest bundle-docurl http://commons.apache.org/cli/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor gradle groupid commons-cli Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-cli Low Vendor pom url http://commons.apache.org/cli/ Highest Vendor jar package name commons Highest Vendor file name commons-cli High Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom groupid commons-cli Highest Vendor pom parent-artifactid commons-parent Low Vendor jar package name cli Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Product pom artifactid commons-cli Highest Product pom name Commons CLI High Product Manifest bundle-symbolicname org.apache.commons.cli Medium Product Manifest bundle-docurl http://commons.apache.org/cli/ Low Product pom url http://commons.apache.org/cli/ Medium Product pom parent-artifactid commons-parent Medium Product Manifest specification-title Commons CLI Medium Product jar package name commons Highest Product file name commons-cli High Product Manifest Implementation-Title Commons CLI High Product gradle artifactid commons-cli Highest Product jar package name apache Highest Product pom parent-groupid org.apache.commons Medium Product pom groupid commons-cli Highest Product Manifest Bundle-Name Commons CLI Medium Product jar package name cli Highest Version file version 1.2 High Version Manifest Bundle-Version 1.2 High Version Manifest Implementation-Version 1.2 High Version pom version 1.2 Highest Version gradle version 1.2 Highest Version pom parent-version 1.2 Low
commons-codec-1.12.jarDescription:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.12/47a28ef1ed31eb182b44e15d49300dee5fadcf6a/commons-codec-1.12.jar
MD5: 9bd59ca0beb26bb00e49b7fdbf1a12c3
SHA1: 47a28ef1ed31eb182b44e15d49300dee5fadcf6a
SHA256: 23df58fae9c83d1bcd277b99f9429e9d8c134f0600b73e2e86b2385ed793c81e
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default pig:default plus:runtimeClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:runtimeClasspath core:default elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default csv:default core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom url http://commons.apache.org/proper/commons-codec/ Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-codec/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom name Apache Commons Codec High Vendor Manifest Implementation-Vendor-Id commons-codec Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid commons-codec Highest Vendor pom groupid commons-codec Highest Vendor jar package name commons Highest Vendor file name commons-codec High Vendor jar package name apache Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-codec/ Low Vendor jar package name encoder Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor jar package name codec Highest Vendor pom artifactid commons-codec Low Vendor Manifest automatic-module-name org.apache.commons.codec Medium Vendor Manifest bundle-symbolicname org.apache.commons.commons-codec Medium Product pom url http://commons.apache.org/proper/commons-codec/ Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-codec/ Low Product Manifest Implementation-Title Apache Commons Codec High Product pom parent-artifactid commons-parent Medium Product pom name Apache Commons Codec High Product Manifest specification-title Apache Commons Codec Medium Product pom groupid commons-codec Highest Product jar package name commons Highest Product Manifest Bundle-Name Apache Commons Codec Medium Product file name commons-codec High Product gradle artifactid commons-codec Highest Product jar package name apache Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product jar package name encoder Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-codec/ Low Product pom parent-groupid org.apache.commons Medium Product jar package name codec Highest Product Manifest automatic-module-name org.apache.commons.codec Medium Product Manifest bundle-symbolicname org.apache.commons.commons-codec Medium Product pom artifactid commons-codec Highest Version Manifest Implementation-Version 1.12 High Version gradle version 1.12 Highest Version file version 1.12 High Version pom parent-version 1.12 Low Version pom version 1.12 Highest
commons-collections-3.2.2.jarDescription:
Types that extend and augment the Java Collections Framework. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-collections/commons-collections/3.2.2/8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256: eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Projects/Scopes: piglet:compileClasspath splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle piglet:runtimeClasspath spark:default spark:compileClasspath function:checkstyle spark:checkstyle plus:checkstyle spark:runtimeClasspath pig:checkstyle druid:checkstyle csv:checkstyle innodb:default piglet:default core:checkstyle server:checkstyle innodb:compileClasspath file:checkstyle innodb:runtimeClasspath calcite:sqllineClasspath geode:default geode:checkstyle geode:compileClasspath mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle geode:runtimeClasspath innodb:checkstyle Evidence Type Source Name Value Confidence Vendor file name commons-collections High Vendor pom groupid commons-collections Highest Vendor pom url http://commons.apache.org/collections/ Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))" Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest bundle-docurl http://commons.apache.org/collections/ Low Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor Manifest bundle-symbolicname org.apache.commons.collections Medium Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name collections Highest Vendor Manifest implementation-build tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100 Low Vendor pom parent-artifactid commons-parent Low Vendor pom artifactid commons-collections Low Vendor pom name Apache Commons Collections High Vendor Manifest implementation-url http://commons.apache.org/collections/ Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor gradle groupid commons-collections Highest Product gradle artifactid commons-collections Highest Product file name commons-collections High Product Manifest Bundle-Name Apache Commons Collections Medium Product pom groupid commons-collections Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.3))" Low Product pom url http://commons.apache.org/collections/ Medium Product Manifest specification-title Apache Commons Collections Medium Product Manifest Implementation-Title Apache Commons Collections High Product pom parent-artifactid commons-parent Medium Product Manifest bundle-docurl http://commons.apache.org/collections/ Low Product pom artifactid commons-collections Highest Product jar package name commons Highest Product jar package name apache Highest Product Manifest bundle-symbolicname org.apache.commons.collections Medium Product pom parent-groupid org.apache.commons Medium Product jar package name collections Highest Product Manifest implementation-build tags/COLLECTIONS_3_2_2_RC3@r1714131; 2015-11-13 00:09:45+0100 Low Product pom name Apache Commons Collections High Product Manifest implementation-url http://commons.apache.org/collections/ Low Version pom version 3.2.2 Highest Version file version 3.2.2 High Version pom parent-version 3.2.2 Low Version gradle version 3.2.2 Highest Version Manifest Implementation-Version 3.2.2 High Version Manifest Bundle-Version 3.2.2 High
commons-compiler-3.0.11.jarDescription:
The "commons-compiler" API, including the "IExpressionEvaluator", "IScriptEvaluator", "IClassBodyEvaluator" and "ISimpleCompiler" interfaces. License:
https://raw.githubusercontent.com/janino-compiler/janino/master/LICENSE File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.janino/commons-compiler/3.0.11/f2a6ec7fbc929c9fc87ff8bb486c0574951c5b09/commons-compiler-3.0.11.jar
MD5: 6dea71e8377d7b5df36b11a57406b261
SHA1: f2a6ec7fbc929c9fc87ff8bb486c0574951c5b09
SHA256: 0f1a4f5f265c701a31933244ae7045fcef18b4fa5950417e25ee70be50dddacf
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name isimplecompiler Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor jar package name compiler Highest Vendor pom artifactid commons-compiler Low Vendor pom name commons-compiler High Vendor jar package name iclassbodyevaluator Highest Vendor pom parent-groupid org.codehaus.janino Medium Vendor pom groupid codehaus.janino Highest Vendor jar package name commons Highest Vendor Manifest bundle-symbolicname org.codehaus.janino.commons-compiler;singleton:=true Medium Vendor jar package name iscriptevaluator Highest Vendor jar package name codehaus Highest Vendor gradle groupid org.codehaus.janino Highest Vendor pom parent-artifactid janino-parent Low Vendor file name commons-compiler High Vendor jar package name iexpressionevaluator Highest Product jar package name isimplecompiler Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom parent-artifactid janino-parent Medium Product jar package name compiler Highest Product pom name commons-compiler High Product jar package name iclassbodyevaluator Highest Product pom parent-groupid org.codehaus.janino Medium Product pom groupid codehaus.janino Highest Product jar package name commons Highest Product Manifest bundle-symbolicname org.codehaus.janino.commons-compiler;singleton:=true Medium Product jar package name iscriptevaluator Highest Product Manifest Bundle-Name commons-compiler Medium Product jar package name codehaus Highest Product gradle artifactid commons-compiler Highest Product file name commons-compiler High Product jar package name iexpressionevaluator Highest Product pom artifactid commons-compiler Highest Version gradle version 3.0.11 Highest Version Manifest Bundle-Version 3.0.11 High Version pom version 3.0.11 Highest Version file version 3.0.11 High
commons-compress-1.4.1.jarDescription:
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.4.1/b02e84a993d88568417536240e970c4b809126fd/commons-compress-1.4.1.jar
MD5: 7f7ff9255a831325f38a170992b70073
SHA1: b02e84a993d88568417536240e970c4b809126fd
SHA256: 28a00d80716f073d644b9da76e94b5e8ff94de8e9323f06f558fba653fcf5f86
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath spark:default spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://commons.apache.org/compress/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest bundle-symbolicname org.apache.commons.compress Medium Vendor file name commons-compress High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-compress Low Vendor jar package name compress Highest Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom url http://commons.apache.org/compress/ Highest Vendor pom parent-artifactid commons-parent Low Vendor Manifest implementation-build trunk@r1341303; 2012-05-22 06:55:03+0200 Low Vendor pom groupid apache.commons Highest Vendor pom name Commons Compress High Vendor Manifest extension-name org.apache.commons.compress Medium Vendor Manifest Implementation-Vendor-Id org.apache Medium Product Manifest specification-title Commons Compress Medium Product Manifest Implementation-Title Commons Compress High Product Manifest bundle-docurl http://commons.apache.org/compress/ Low Product pom parent-artifactid commons-parent Medium Product Manifest bundle-symbolicname org.apache.commons.compress Medium Product file name commons-compress High Product pom url http://commons.apache.org/compress/ Medium Product Manifest Bundle-Name Commons Compress Medium Product jar package name compress Highest Product jar package name commons Highest Product jar package name apache Highest Product pom parent-groupid org.apache.commons Medium Product Manifest implementation-build trunk@r1341303; 2012-05-22 06:55:03+0200 Low Product pom artifactid commons-compress Highest Product pom groupid apache.commons Highest Product pom name Commons Compress High Product gradle artifactid commons-compress Highest Product Manifest extension-name org.apache.commons.compress Medium Version Manifest Bundle-Version 1.4.1 High Version Manifest Implementation-Version 1.4.1 High Version pom version 1.4.1 Highest Version pom parent-version 1.4.1 Low Version file version 1.4.1 High Version gradle version 1.4.1 Highest
commons-configuration-1.6.jarDescription:
Tools to assist in the reading of configuration/preferences files in
various formats
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-configuration/commons-configuration/1.6/32cadde23955d7681b0d94a2715846d20b425235/commons-configuration-1.6.jar
MD5: b099d9f9b4b99071cc52b259308df69a
SHA1: 32cadde23955d7681b0d94a2715846d20b425235
SHA256: 46b71b9656154f6a16ea4b1dc84026b52a9305f8eff046a2b4655fa1738e5eee
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name commons-configuration High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid commons-configuration Highest Vendor jar package name commons Highest Vendor Manifest bundle-symbolicname org.apache.commons.configuration Medium Vendor jar package name apache Highest Vendor pom name Commons Configuration High Vendor jar package name configuration Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom artifactid commons-configuration Low Vendor pom parent-artifactid commons-parent Low Vendor pom url http://commons.apache.org/configuration/ Highest Vendor Manifest bundle-docurl http://commons.apache.org/configuration/ Low Vendor pom groupid commons-configuration Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Product file name commons-configuration High Product pom artifactid commons-configuration Highest Product pom parent-artifactid commons-parent Medium Product Manifest Implementation-Title Commons Configuration High Product gradle artifactid commons-configuration Highest Product Manifest specification-title Commons Configuration Medium Product jar package name commons Highest Product Manifest bundle-symbolicname org.apache.commons.configuration Medium Product jar package name apache Highest Product Manifest Bundle-Name Commons Configuration Medium Product pom name Commons Configuration High Product jar package name configuration Highest Product pom parent-groupid org.apache.commons Medium Product Manifest bundle-docurl http://commons.apache.org/configuration/ Low Product pom groupid commons-configuration Highest Product pom url http://commons.apache.org/configuration/ Medium Version Manifest Bundle-Version 1.6 High Version Manifest Implementation-Version 1.6 High Version pom version 1.6 Highest Version pom parent-version 1.6 Low Version gradle version 1.6 Highest Version file version 1.6 High
commons-crypto-1.0.0.jarDescription:
Apache Commons Crypto is a cryptographic library optimized with AES-NI (Advanced Encryption Standard New Instructions). It provides Java API for both cipher level and Java stream level. Developers can use it to implement high performance AES encryption/decryption with the minimum code and effort. Please note that Crypto doesn't implement the cryptographic algorithm such as AES directly. It wraps to Openssl or JCE which implement the algorithms. Features -------- 1. Cipher API for low level cryptographic operations. 2. Java stream API (CryptoInputStream/CryptoOutputStream) for high level stream encyrption/decryption. 3. Both optimized with high performance AES encryption/decryption. (1400 MB/s - 1700 MB/s throughput in modern Xeon processors). 4. JNI-based implementation to achieve comparable performance to the native C++ version based on OpenSsl. 5. Portable across various operating systems (currently only Linux/MacOSX/Windows); Apache Commons Crypto loads the library according to your machine environment (it checks system properties, `os.name` and `os.arch`). 6. Simple usage. Add the commons-crypto-(version).jar file to your classpath. Export restrictions ------------------- This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See for more information. The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code. The following provides more details on the included cryptographic software: * Commons Crypto use [Java Cryptography Extension](http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html) provided by Java * Commons Crypto link to and use [OpenSSL](https://www.openssl.org/) ciphers License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-crypto/1.0.0/7938f66b01f62f03ef8af8a64401e85e45d51c5d/commons-crypto-1.0.0.jar
MD5: 981c95e38457b10d429090496b96f2d6
SHA1: 7938f66b01f62f03ef8af8a64401e85e45d51c5d
SHA256: 0043d8d74d8df632c57f938828e6f6efd555e293a9079dcdf59eab8e40107491
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name stream Highest Vendor Manifest bundle-symbolicname org.apache.commons.crypto Medium Vendor jar package name cipher Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom name Apache Commons Crypto High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest implementation-build CRYPTO-1.0.0@r782ca06a1f9a292756fbad9eb9841e685cd34af1; 2016-07-26 09:19:11+0800 Low Vendor jar package name crypto Highest Vendor Manifest implementation-url http://commons.apache.org/proper/commons-crypto/ Low Vendor gradle groupid org.apache.commons Highest Vendor file name commons-crypto High Vendor jar package name commons Highest Vendor pom url http://commons.apache.org/proper/commons-crypto/ Highest Vendor jar package name apache Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor pom groupid apache.commons Highest Vendor pom artifactid commons-crypto Low Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-crypto/ Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Product jar package name stream Highest Product Manifest bundle-symbolicname org.apache.commons.crypto Medium Product jar package name cipher Highest Product pom parent-artifactid commons-parent Medium Product pom artifactid commons-crypto Highest Product pom name Apache Commons Crypto High Product Manifest implementation-build CRYPTO-1.0.0@r782ca06a1f9a292756fbad9eb9841e685cd34af1; 2016-07-26 09:19:11+0800 Low Product jar package name crypto Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-crypto/ Low Product gradle artifactid commons-crypto Highest Product pom url http://commons.apache.org/proper/commons-crypto/ Medium Product file name commons-crypto High Product jar package name commons Highest Product jar package name apache Highest Product Manifest specification-title Apache Commons Crypto Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom parent-groupid org.apache.commons Medium Product Manifest Implementation-Title Apache Commons Crypto High Product pom groupid apache.commons Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-crypto/ Low Product Manifest Bundle-Name Apache Commons Crypto Medium Version pom parent-version 1.0.0 Low Version pom version 1.0.0 Highest Version Manifest Bundle-Version 1.0.0 High Version file version 1.0.0 High Version Manifest Implementation-Version 1.0.0 High Version gradle version 1.0.0 Highest
commons-crypto-1.0.0.jar: commons-crypto.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-crypto/1.0.0/7938f66b01f62f03ef8af8a64401e85e45d51c5d/commons-crypto-1.0.0.jar/org/apache/commons/crypto/native/Windows/x86/commons-crypto.dllMD5: 80df8a7e2032790a467db967ce60182eSHA1: 2a8efda075679e8a913347c52f409015b4ce2e96SHA256: 02e008efb98e14d5b1f16a2219f71ad179ff301bed5a2267883c28d74bcfe6beReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name commons-crypto High Product file name commons-crypto High
commons-crypto-1.0.0.jar: commons-crypto.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-crypto/1.0.0/7938f66b01f62f03ef8af8a64401e85e45d51c5d/commons-crypto-1.0.0.jar/org/apache/commons/crypto/native/Windows/x86_64/commons-crypto.dllMD5: a330d40c0b4016e6fcff609473eeb44eSHA1: ed34492e05a31791856eaecdd436db9a875926ebSHA256: 6d8783ac18bc5f770af7371fcf9684af4b531cad982e62ffe508fca22afa573fReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name commons-crypto High Product file name commons-crypto High
commons-dbcp2-2.6.0.jarDescription:
Apache Commons DBCP software implements Database Connection Pooling License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-dbcp2/2.6.0/78d0e99c4bc815a9f20cf6837761e91b7fc6eef4/commons-dbcp2-2.6.0.jar
MD5: dc14a729b359f3770f608d3f2c2e7a9e
SHA1: 78d0e99c4bc815a9f20cf6837761e91b7fc6eef4
SHA256: 4af3d49ea0aae838d330cbc969a94ff2fa768e3b637effb8e80a21672dd49bf4
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor Manifest implementation-build release@r3e7fca08d3585aa7cf70045ee3ed607cbaf04baa; 2019-02-15 15:32:42+0000 Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-dbcp2 Medium Vendor jar package name dbcp2 Highest Vendor pom name Apache Commons DBCP High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom url http://commons.apache.org/dbcp/ Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest implementation-url http://commons.apache.org/dbcp/ Low Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor pom artifactid commons-dbcp2 Low Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor file name commons-dbcp2 High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid apache.commons Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest bundle-docurl http://commons.apache.org/dbcp/ Low Product Manifest implementation-build release@r3e7fca08d3585aa7cf70045ee3ed607cbaf04baa; 2019-02-15 15:32:42+0000 Low Product Manifest Bundle-Name Apache Commons DBCP Medium Product pom artifactid commons-dbcp2 Highest Product Manifest bundle-symbolicname org.apache.commons.commons-dbcp2 Medium Product jar package name dbcp2 Highest Product pom name Apache Commons DBCP High Product gradle artifactid commons-dbcp2 Highest Product pom parent-artifactid commons-parent Medium Product Manifest Implementation-Title Apache Commons DBCP High Product Manifest implementation-url http://commons.apache.org/dbcp/ Low Product Manifest specification-title Apache Commons DBCP Medium Product jar package name commons Highest Product jar package name apache Highest Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/dbcp/ Medium Product file name commons-dbcp2 High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid apache.commons Highest Product Manifest bundle-docurl http://commons.apache.org/dbcp/ Low Version Manifest Implementation-Version 2.6.0 High Version gradle version 2.6.0 Highest Version pom parent-version 2.6.0 Low Version file version 2.6.0 High Version Manifest Bundle-Version 2.6.0 High Version pom version 2.6.0 Highest
commons-digester-1.8.1.jarDescription:
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-digester/commons-digester/1.8.1/3dec9b9c7ea9342d4dbe8c38560080d85b44a015/commons-digester-1.8.1.jar
MD5: 5002ecf033f5a79e398155823badb36a
SHA1: 3dec9b9c7ea9342d4dbe8c38560080d85b44a015
SHA256: b97b72b4201137262215dca60ceb84e6b664bf7fe428a4d62729de0239cafdb6
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname org.apache.commons.digester Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name rules Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid commons-digester Low Vendor file name commons-digester High Vendor pom url http://commons.apache.org/digester/ Highest Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor jar package name digester Highest Vendor Manifest bundle-docurl http://commons.apache.org/digester/ Low Vendor pom parent-groupid org.apache.commons Medium Vendor gradle groupid commons-digester Highest Vendor pom parent-artifactid commons-parent Low Vendor pom name Commons Digester High Vendor pom groupid commons-digester Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Product gradle artifactid commons-digester Highest Product Manifest Implementation-Title Commons Digester High Product Manifest specification-title Commons Digester Medium Product pom artifactid commons-digester Highest Product Manifest bundle-symbolicname org.apache.commons.digester Medium Product pom parent-artifactid commons-parent Medium Product jar package name rules Highest Product Manifest Bundle-Name Commons Digester Medium Product file name commons-digester High Product jar package name commons Highest Product pom url http://commons.apache.org/digester/ Medium Product jar package name apache Highest Product jar package name digester Highest Product Manifest bundle-docurl http://commons.apache.org/digester/ Low Product pom parent-groupid org.apache.commons Medium Product pom name Commons Digester High Product pom groupid commons-digester Highest Version file version 1.8.1 High Version pom version 1.8.1 Highest Version Manifest Implementation-Version 1.8.1 High Version pom parent-version 1.8.1 Low Version gradle version 1.8.1 Highest Version Manifest Bundle-Version 1.8.1 High
commons-digester-1.8.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-digester/commons-digester/1.8/dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e/commons-digester-1.8.jarMD5: cf89c593f0378e9509a06fce7030aebaSHA1: dc6a73fdbd1fa3f0944e8497c6c872fa21dca37eSHA256: 05662373044f3dff112567b7bb5dfa1174e91e074c0c727b4412788013f49d56Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name digester Low Vendor Manifest extension-name commons-digester Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name commons Low Vendor file name commons-digester High Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor jar package name digester Highest Vendor gradle groupid commons-digester Highest Vendor jar package name apache Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Product jar package name commons Highest Product jar package name apache Highest Product jar package name digester Highest Product jar package name digester Low Product Manifest extension-name commons-digester Medium Product gradle artifactid commons-digester Highest Product Manifest Implementation-Title org.apache.commons.digester High Product Manifest specification-title Rule based XML->Java object mapping module Medium Product jar package name commons Low Product file name commons-digester High Product jar package name rule Highest Version Manifest Implementation-Version 1.8 High Version file version 1.8 High
commons-el-1.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-el/commons-el/1.0/1df2c042b3f2de0124750241ac6c886dbfa2cc2c/commons-el-1.0.jarMD5: 7c98594df7c126f33688fa6d93169639SHA1: 1df2c042b3f2de0124750241ac6c886dbfa2cc2cSHA256: 0d67550ec0022b653453c759f063a643c2fe64bc48faa8b25f95a220e2a282e2Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name commons Highest Vendor Manifest specification-vendor Apache Software Foundation Low Vendor jar package name el Low Vendor gradle groupid commons-el Highest Vendor jar package name apache Highest Vendor file name commons-el High Vendor jar package name apache Low Vendor jar package name commons Low Vendor jar package name el Highest Vendor Manifest extension-name org.apache.commons.el Medium Vendor Manifest Implementation-Vendor Apache Software Foundation High Product jar package name commons Highest Product Manifest specification-title Jakarta Commons EL Medium Product jar package name el Low Product jar package name apache Highest Product Manifest Implementation-Title org.apache.commons.el High Product gradle artifactid commons-el Highest Product file name commons-el High Product jar package name commons Low Product jar package name el Highest Product Manifest extension-name org.apache.commons.el Medium Version file version 1.0 High Version Manifest Implementation-Version 1.0 High
commons-httpclient-3.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-httpclient/commons-httpclient/3.1/964cd74171f427720480efdec40a7c7f6e58426a/commons-httpclient-3.1.jarMD5: 8ad8c9229ef2d59ab9f59f7050e846a5SHA1: 964cd74171f427720480efdec40a7c7f6e58426aSHA256: dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath spark:default spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor file name commons-httpclient High Vendor jar package name apache Highest Vendor jar package name httpclient Low Vendor jar package name apache Low Vendor jar package name commons Low Vendor gradle groupid commons-httpclient Highest Vendor manifest: org/apache/commons/httpclient Implementation-Vendor Apache Software Foundation Medium Product file name commons-httpclient High Product jar package name commons Highest Product gradle artifactid commons-httpclient Highest Product jar package name apache Highest Product jar package name httpclient Low Product manifest: org/apache/commons/httpclient Specification-Title Jakarta Commons HttpClient Medium Product manifest: org/apache/commons/httpclient Implementation-Title org.apache.commons.httpclient Medium Product jar package name commons Low Product jar package name httpclient Highest Version file version 3.1 High Version manifest: org/apache/commons/httpclient Implementation-Version 3.1 Medium Version Manifest maven-version 1.1 Medium Version file name commons-httpclient Medium Version gradle version 3.1 Highest
Published Vulnerabilities CVE-2012-5783 suppress
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CWE-295 Improper Certificate Validation
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N References:
Vulnerable Software & Versions:
CVE-2020-13956 suppress
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions: (show all )
commons-io-2.4.jarDescription:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.4/b1b6ea3b7e4aa4f492509a4952029cd8e48019ad/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256: cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581
Referenced In Projects/Scopes: piglet:compileClasspath babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default spark:compileClasspath redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath core:runtimeClasspath elasticsearch:default geode:compileClasspath druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor gradle groupid commons-io Highest Vendor Manifest bundle-symbolicname org.apache.commons.io Medium Vendor pom name Commons IO High Vendor Manifest bundle-docurl http://commons.apache.org/io/ Low Vendor pom artifactid commons-io Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor file name commons-io High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor Manifest implementation-build tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400 Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor jar package name io Highest Vendor pom url http://commons.apache.org/io/ Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom groupid commons-io Highest Product Manifest bundle-symbolicname org.apache.commons.io Medium Product pom name Commons IO High Product Manifest bundle-docurl http://commons.apache.org/io/ Low Product pom artifactid commons-io Highest Product pom parent-artifactid commons-parent Medium Product file name commons-io High Product Manifest Bundle-Name Commons IO Medium Product jar package name commons Highest Product Manifest Implementation-Title Commons IO High Product jar package name apache Highest Product gradle artifactid commons-io Highest Product Manifest implementation-build tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400 Low Product Manifest specification-title Commons IO Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/io/ Medium Product jar package name io Highest Product pom groupid commons-io Highest Version pom parent-version 2.4 Low Version Manifest Implementation-Version 2.4 High Version gradle version 2.4 Highest Version file version 2.4 High Version pom version 2.4 Highest
Published Vulnerabilities CVE-2021-29425 suppress
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
commons-io-2.6.jarDescription:
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar
MD5: 467c2a1f64319c99b5faf03fc78572af
SHA1: 815893df5f31da2ece4040fe0a12fd44b577afaf
SHA256: f877d304660ac2a142f3865badfc971dec7ed73c747c7f8d5d2f5139ca736513
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default Evidence Type Source Name Value Confidence Vendor gradle groupid commons-io Highest Vendor Manifest bundle-symbolicname org.apache.commons.io Medium Vendor pom artifactid commons-io Low Vendor pom url http://commons.apache.org/proper/commons-io/ Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor file name commons-io High Vendor Manifest automatic-module-name org.apache.commons.io Medium Vendor Manifest implementation-url http://commons.apache.org/proper/commons-io/ Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom name Apache Commons IO High Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor-Id commons-io Medium Vendor jar package name io Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ Low Vendor pom groupid commons-io Highest Product pom url http://commons.apache.org/proper/commons-io/ Medium Product Manifest bundle-symbolicname org.apache.commons.io Medium Product Manifest specification-title Apache Commons IO Medium Product Manifest Implementation-Title Apache Commons IO High Product pom artifactid commons-io Highest Product pom parent-artifactid commons-parent Medium Product file name commons-io High Product Manifest automatic-module-name org.apache.commons.io Medium Product Manifest implementation-url http://commons.apache.org/proper/commons-io/ Low Product pom name Apache Commons IO High Product jar package name commons Highest Product jar package name apache Highest Product gradle artifactid commons-io Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom parent-groupid org.apache.commons Medium Product jar package name io Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-io/ Low Product Manifest Bundle-Name Apache Commons IO Medium Product pom groupid commons-io Highest Version gradle version 2.6 Highest Version Manifest Implementation-Version 2.6 High Version pom version 2.6 Highest Version file version 2.6 High Version pom parent-version 2.6 Low
Published Vulnerabilities CVE-2021-29425 suppress
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
commons-lang-2.4.jarDescription:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-lang/commons-lang/2.4/16313e02a793435009f1e458fa4af5d879f6fb11/commons-lang-2.4.jar
MD5: 237a8e845441bad2e535c57d985c8204
SHA1: 16313e02a793435009f1e458fa4af5d879f6fb11
SHA256: 2c73b940c91250bc98346926270f13a6a10bb6e29d2c9316a70d134e382c873e
Referenced In Projects/Scopes: babel:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default pig:default plus:runtimeClasspath function:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath innodb:runtimeClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name lang Highest Vendor pom name Commons Lang High Vendor gradle groupid commons-lang Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://commons.apache.org/lang/ Highest Vendor file name commons-lang High Vendor jar package name commons Highest Vendor pom groupid commons-lang Highest Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor Manifest bundle-docurl http://commons.apache.org/lang/ Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom artifactid commons-lang Low Vendor Manifest bundle-symbolicname org.apache.commons.lang Medium Product jar package name lang Highest Product pom name Commons Lang High Product pom artifactid commons-lang Highest Product pom parent-artifactid commons-parent Medium Product file name commons-lang High Product jar package name commons Highest Product Manifest Implementation-Title Commons Lang High Product pom groupid commons-lang Highest Product gradle artifactid commons-lang Highest Product jar package name apache Highest Product Manifest specification-title Commons Lang Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/lang/ Medium Product Manifest bundle-docurl http://commons.apache.org/lang/ Low Product Manifest Bundle-Name Commons Lang Medium Product Manifest bundle-symbolicname org.apache.commons.lang Medium Version pom parent-version 2.4 Low Version Manifest Bundle-Version 2.4 High Version Manifest Implementation-Version 2.4 High Version gradle version 2.4 Highest Version file version 2.4 High Version pom version 2.4 Highest
commons-lang-2.6.jarDescription:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-lang/commons-lang/2.6/ce1edb914c94ebc388f086c6827e8bdeec71ac2/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256: 50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Projects/Scopes: file:compileClasspath piglet:compileClasspath file:runtimeClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath file:default spark:runtimeClasspath piglet:default csv:runtimeClasspath csv:default Evidence Type Source Name Value Confidence Vendor jar package name lang Highest Vendor pom name Commons Lang High Vendor gradle groupid commons-lang Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://commons.apache.org/lang/ Highest Vendor file name commons-lang High Vendor jar package name commons Highest Vendor pom groupid commons-lang Highest Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor Manifest bundle-docurl http://commons.apache.org/lang/ Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom artifactid commons-lang Low Vendor Manifest bundle-symbolicname org.apache.commons.lang Medium Product jar package name lang Highest Product pom name Commons Lang High Product pom artifactid commons-lang Highest Product pom parent-artifactid commons-parent Medium Product file name commons-lang High Product jar package name commons Highest Product Manifest Implementation-Title Commons Lang High Product pom groupid commons-lang Highest Product gradle artifactid commons-lang Highest Product jar package name apache Highest Product Manifest specification-title Commons Lang Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/lang/ Medium Product Manifest bundle-docurl http://commons.apache.org/lang/ Low Product Manifest Bundle-Name Commons Lang Medium Product Manifest bundle-symbolicname org.apache.commons.lang Medium Version gradle version 2.6 Highest Version Manifest Bundle-Version 2.6 High Version Manifest Implementation-Version 2.6 High Version pom version 2.6 Highest Version file version 2.6 High Version pom parent-version 2.6 Low
commons-lang3-3.8.1.jarDescription:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-lang3/3.8.1/6505a72a097d9270f7a9e7bf42c4238283247755/commons-lang3-3.8.1.jar
MD5: 540b1256d887a6993ecbef23371a3302
SHA1: 6505a72a097d9270f7a9e7bf42c4238283247755
SHA256: dac807f65b07698ff39b1b07bfef3d87ae3fd46d91bbf8a2bc02b2a831616f68
Referenced In Projects/Scopes: innodb:compileClasspath innodb:runtimeClasspath calcite:sqllineClasspath geode:default innodb:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest automatic-module-name org.apache.commons.lang3 Medium Vendor Manifest bundle-symbolicname org.apache.commons.lang3 Medium Vendor pom name Apache Commons Lang High Vendor file name commons-lang3 High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom url http://commons.apache.org/proper/commons-lang/ Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Vendor pom artifactid commons-lang3 Low Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor jar package name lang3 Highest Vendor jar package name apache Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor-Id org.apache.commons Medium Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Vendor pom groupid apache.commons Highest Product Manifest automatic-module-name org.apache.commons.lang3 Medium Product Manifest Bundle-Name Apache Commons Lang Medium Product Manifest bundle-symbolicname org.apache.commons.lang3 Medium Product pom name Apache Commons Lang High Product file name commons-lang3 High Product pom parent-artifactid commons-parent Medium Product Manifest Implementation-Title Apache Commons Lang High Product Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Product Manifest specification-title Apache Commons Lang Medium Product jar package name commons Highest Product jar package name lang3 Highest Product jar package name apache Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid commons-lang3 Highest Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-lang/ Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Product pom groupid apache.commons Highest Product gradle artifactid commons-lang3 Highest Version gradle version 3.8.1 Highest Version pom parent-version 3.8.1 Low Version Manifest Bundle-Version 3.8.1 High Version pom version 3.8.1 Highest Version Manifest Implementation-Version 3.8.1 High Version file version 3.8.1 High
commons-lang3-3.8.jarDescription:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-lang3/3.8/222fc4cf714a63f27cbdafdbd863efd0d30c8a1e/commons-lang3-3.8.jar
MD5: 0e9023b7d40f09a8f7bdb32889ef4449
SHA1: 222fc4cf714a63f27cbdafdbd863efd0d30c8a1e
SHA256: 9375aad1000cdd5bd3068e832de9802094fac1f145655251e141d5d0072fab9a
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:compileClasspath spark:compileClasspath redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default druid:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath piglet:default pig:default plus:runtimeClasspath function:default csv:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath core:runtimeClasspath elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor Manifest automatic-module-name org.apache.commons.lang3 Medium Vendor pom name Apache Commons Lang High Vendor file name commons-lang3 High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom url http://commons.apache.org/proper/commons-lang/ Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Vendor pom artifactid commons-lang3 Low Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor jar package name lang3 Highest Vendor jar package name apache Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-lang3 Medium Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor Manifest Implementation-Vendor-Id org.apache.commons Medium Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Vendor pom groupid apache.commons Highest Product Manifest automatic-module-name org.apache.commons.lang3 Medium Product Manifest Bundle-Name Apache Commons Lang Medium Product pom name Apache Commons Lang High Product file name commons-lang3 High Product pom parent-artifactid commons-parent Medium Product Manifest Implementation-Title Apache Commons Lang High Product Manifest implementation-url http://commons.apache.org/proper/commons-lang/ Low Product Manifest specification-title Apache Commons Lang Medium Product jar package name commons Highest Product jar package name lang3 Highest Product jar package name apache Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom artifactid commons-lang3 Highest Product Manifest bundle-symbolicname org.apache.commons.commons-lang3 Medium Product pom parent-groupid org.apache.commons Medium Product pom url http://commons.apache.org/proper/commons-lang/ Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-lang/ Low Product pom groupid apache.commons Highest Product gradle artifactid commons-lang3 Highest Version pom version 3.8 Highest Version pom parent-version 3.8 Low Version gradle version 3.8 Highest Version file version 3.8 High Version Manifest Implementation-Version 3.8 High
commons-logging-1.1.1.jarDescription:
Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems. File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-logging/commons-logging/1.1.1/5043bfebc3db072ed80fbd362e7caf00e885d8ae/commons-logging-1.1.1.jarMD5: ed448347fc0104034aa14c8189bf37deSHA1: 5043bfebc3db072ed80fbd362e7caf00e885d8aeSHA256: ce6f913cad1f0db3aad70186d65c5bc7ffcc9a99e3fe8e0b137312819f7c362fReferenced In Projects/Scopes:
file:compileClasspath file:runtimeClasspath pig:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name logging Highest Vendor file name commons-logging High Vendor pom groupid commons-logging Highest Vendor gradle groupid commons-logging Highest Vendor pom url http://commons.apache.org/logging Highest Vendor jar package name commons Highest Vendor Manifest specification-vendor Apache Software Foundation Low Vendor pom artifactid commons-logging Low Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor pom name Commons Logging High Vendor Manifest extension-name org.apache.commons.logging Medium Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest Implementation-Vendor Apache Software Foundation High Product jar package name logging Highest Product file name commons-logging High Product pom groupid commons-logging Highest Product pom parent-artifactid commons-parent Medium Product pom url http://commons.apache.org/logging Medium Product jar package name commons Highest Product jar package name apache Highest Product pom parent-groupid org.apache.commons Medium Product pom name Commons Logging High Product Manifest extension-name org.apache.commons.logging Medium Product pom artifactid commons-logging Highest Product Manifest Implementation-Title Jakarta Commons Logging High Product Manifest specification-title Jakarta Commons Logging Medium Product gradle artifactid commons-logging Highest Version pom version 1.1.1 Highest Version Manifest Implementation-Version 1.1.1 High Version gradle version 1.1.1 Highest Version pom parent-version 1.1.1 Low Version file version 1.1.1 High
commons-logging-1.2.jarDescription:
Apache Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256: daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Projects/Scopes: piglet:compileClasspath babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default linq4j:runtimeClasspath linq4j:default elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default geode:compileClasspath druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name logging Highest Vendor pom url http://commons.apache.org/proper/commons-logging/ Highest Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ Low Vendor file name commons-logging High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid commons-logging Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid commons-logging Highest Vendor Manifest bundle-symbolicname org.apache.commons.logging Medium Vendor jar package name commons Highest Vendor pom artifactid commons-logging Low Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 Low Vendor pom name Apache Commons Logging High Vendor Manifest Implementation-Vendor-Id org.apache Medium Product pom url http://commons.apache.org/proper/commons-logging/ Medium Product jar package name logging Highest Product Manifest Implementation-Title Apache Commons Logging High Product Manifest specification-title Apache Commons Logging Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-logging/ Low Product file name commons-logging High Product pom groupid commons-logging Highest Product Manifest Bundle-Name Apache Commons Logging Medium Product pom parent-artifactid commons-parent Medium Product Manifest bundle-symbolicname org.apache.commons.logging Medium Product jar package name commons Highest Product jar package name apache Highest Product pom parent-groupid org.apache.commons Medium Product Manifest implementation-build tags/LOGGING_1_2_RC2@r1608092; 2014-07-05 20:11:44+0200 Low Product pom artifactid commons-logging Highest Product pom name Apache Commons Logging High Product gradle artifactid commons-logging Highest Version file version 1.2 High Version Manifest Implementation-Version 1.2 High Version pom version 1.2 Highest Version gradle version 1.2 Highest Version pom parent-version 1.2 Low
commons-math3-3.1.1.jarDescription:
The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.1.1/6719d757a98ff24a83d9d727bef9cec83f59b6e1/commons-math3-3.1.1.jar
MD5: 505ece0d2261b037101e6c4bdf541ca7
SHA1: 6719d757a98ff24a83d9d727bef9cec83f59b6e1
SHA256: a07e39d31c46032879f0a48ae1bd0142b17dd67664c008b50216e9891f346c54
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor pom name Commons Math High Vendor Manifest bundle-symbolicname org.apache.commons.math3 Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor Manifest bundle-docurl http://commons.apache.org/math/ Low Vendor pom url http://commons.apache.org/math/ Highest Vendor file name commons-math3 High Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name math3 Highest Vendor pom parent-artifactid commons-parent Low Vendor pom artifactid commons-math3 Low Vendor Manifest implementation-build tags/MATH_3_1_1_RC1@r1430928; 2013-01-09 17:13:33+0100 Low Vendor pom groupid apache.commons Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Product pom name Commons Math High Product Manifest bundle-symbolicname org.apache.commons.math3 Medium Product Manifest Bundle-Name Commons Math Medium Product pom parent-artifactid commons-parent Medium Product pom artifactid commons-math3 Highest Product jar package name commons Highest Product Manifest bundle-docurl http://commons.apache.org/math/ Low Product gradle artifactid commons-math3 Highest Product file name commons-math3 High Product jar package name apache Highest Product Manifest specification-title Commons Math Medium Product pom parent-groupid org.apache.commons Medium Product jar package name math3 Highest Product Manifest Implementation-Title Commons Math High Product pom url http://commons.apache.org/math/ Medium Product Manifest implementation-build tags/MATH_3_1_1_RC1@r1430928; 2013-01-09 17:13:33+0100 Low Product pom groupid apache.commons Highest Version gradle version 3.1.1 Highest Version file version 3.1.1 High Version Manifest Implementation-Version 3.1.1 High Version pom version 3.1.1 Highest Version Manifest Bundle-Version 3.1.1 High Version pom parent-version 3.1.1 Low
commons-math3-3.2.jarDescription:
The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.2/ec2544ab27e110d2d431bdad7d538ed509b21e62/commons-math3-3.2.jar
MD5: aaa32530c0f744813570ff73db018698
SHA1: ec2544ab27e110d2d431bdad7d538ed509b21e62
SHA256: 6268a9a0ea3e769fc493a21446664c0ef668e48c93d126791f6f3f757978fee2
Referenced In Projects/Scopes: ubenchmark:jmhCompileClasspath ubenchmark:jmh Evidence Type Source Name Value Confidence Vendor pom name Commons Math High Vendor Manifest bundle-symbolicname org.apache.commons.math3 Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-math/ Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor file name commons-math3 High Vendor jar package name apache Highest Vendor pom url http://commons.apache.org/proper/commons-math/ Highest Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name math3 Highest Vendor pom parent-artifactid commons-parent Low Vendor pom artifactid commons-math3 Low Vendor pom groupid apache.commons Highest Vendor Manifest implementation-build tags/MATH_3_2_RC5@r1463704; 2013-04-02 21:25:31+0200 Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Product pom name Commons Math High Product Manifest bundle-symbolicname org.apache.commons.math3 Medium Product Manifest Bundle-Name Commons Math Medium Product pom parent-artifactid commons-parent Medium Product pom artifactid commons-math3 Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-math/ Low Product pom url http://commons.apache.org/proper/commons-math/ Medium Product jar package name commons Highest Product gradle artifactid commons-math3 Highest Product file name commons-math3 High Product jar package name apache Highest Product Manifest specification-title Commons Math Medium Product pom parent-groupid org.apache.commons Medium Product jar package name math3 Highest Product Manifest Implementation-Title Commons Math High Product pom groupid apache.commons Highest Product Manifest implementation-build tags/MATH_3_2_RC5@r1463704; 2013-04-02 21:25:31+0200 Low Version file version 3.2 High Version pom parent-version 3.2 Low Version pom version 3.2 Highest Version gradle version 3.2 Highest Version Manifest Implementation-Version 3.2 High
commons-math3-3.4.1.jarDescription:
The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.4.1/3ac44a8664228384bc68437264cf7c4cf112f579/commons-math3-3.4.1.jar
MD5: 14a218d0ee57907dd2c7ef944b6c0afd
SHA1: 3ac44a8664228384bc68437264cf7c4cf112f579
SHA256: d1075b14a71087038b0bfd198f0f7dd8e49b5b3529d8e2eba99e7d9eb8565e4b
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Apache Commons Math High Vendor Manifest bundle-symbolicname org.apache.commons.math3 Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-math/ Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor file name commons-math3 High Vendor jar package name apache Highest Vendor pom url http://commons.apache.org/proper/commons-math/ Highest Vendor pom parent-groupid org.apache.commons Medium Vendor jar package name math3 Highest Vendor Manifest implementation-build ef6e0f882819e7c5230aece1610297e67775cca2; 2015-01-08 18:19:01+0100 Low Vendor pom parent-artifactid commons-parent Low Vendor pom artifactid commons-math3 Low Vendor pom groupid apache.commons Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Product pom name Apache Commons Math High Product Manifest bundle-symbolicname org.apache.commons.math3 Medium Product Manifest Bundle-Name Apache Commons Math Medium Product pom parent-artifactid commons-parent Medium Product pom artifactid commons-math3 Highest Product Manifest bundle-docurl http://commons.apache.org/proper/commons-math/ Low Product pom url http://commons.apache.org/proper/commons-math/ Medium Product jar package name commons Highest Product gradle artifactid commons-math3 Highest Product file name commons-math3 High Product jar package name apache Highest Product pom parent-groupid org.apache.commons Medium Product jar package name math3 Highest Product Manifest implementation-build ef6e0f882819e7c5230aece1610297e67775cca2; 2015-01-08 18:19:01+0100 Low Product pom groupid apache.commons Highest Product Manifest specification-title Apache Commons Math Medium Product Manifest Implementation-Title Apache Commons Math High Version file version 3.4.1 High Version pom version 3.4.1 Highest Version Manifest Bundle-Version 3.4.1 High Version Manifest Implementation-Version 3.4.1 High Version gradle version 3.4.1 Highest Version pom parent-version 3.4.1 Low
commons-net-1.4.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-net/commons-net/1.4.1/abb932adb2c10790c1eaa4365d3ac2a1ac7cb700/commons-net-1.4.1.jarMD5: 365c9a26e81b212de0553fbed10452ccSHA1: abb932adb2c10790c1eaa4365d3ac2a1ac7cb700SHA256: 05a3611dedf90d0ab3e8ed83dec4ee49200148c09425437eb9348562fde7d83cReferenced In Projects/Scopes:
pig:runtimeClasspath pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid commons-net Highest Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor Manifest extension-name commons-net Medium Vendor jar package name net Highest Vendor jar package name net Low Vendor file name commons-net High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name apache Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name commons Low Product jar package name commons Highest Product jar package name apache Highest Product jar package name net Highest Product Manifest extension-name commons-net Medium Product jar package name net Low Product file name commons-net High Product Manifest specification-title Jakarta Commons Net Medium Product gradle artifactid commons-net Highest Product jar package name commons Low Product Manifest Implementation-Title org.apache.commons.net High Version Manifest Implementation-Version 1.4.1 High Version file version 1.4.1 High
commons-net-3.1.jarDescription:
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-net/commons-net/3.1/2298164a7c2484406f2aa5ac85b205d39019896f/commons-net-3.1.jar
MD5: 23c94d51e72f341fb412d6a015e16313
SHA1: 2298164a7c2484406f2aa5ac85b205d39019896f
SHA256: 34a58d6d80a50748307e674ec27b4411e6536fd12e78bec428eb2ee49a123007
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name echo Highest Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name ftp Highest Vendor jar package name whois Highest Vendor jar package name apache Highest Vendor file name commons-net High Vendor jar package name pop3 Highest Vendor pom url http://commons.apache.org/net/ Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor gradle groupid commons-net Highest Vendor jar package name net Highest Vendor jar package name telnet Highest Vendor Manifest bundle-docurl http://commons.apache.org/net/ Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom name Commons Net High Vendor Manifest bundle-symbolicname org.apache.commons.net Medium Vendor jar package name smtp Highest Vendor jar package name nntp Highest Vendor Manifest implementation-build tags/NET_3_1_RC2@r1244108; 2012-02-14 17:45:12+0000 Low Vendor jar package name commons Highest Vendor jar package name finger Highest Vendor pom groupid commons-net Highest Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor pom artifactid commons-net Low Product jar package name echo Highest Product pom artifactid commons-net Highest Product pom parent-artifactid commons-parent Medium Product jar package name ftp Highest Product jar package name whois Highest Product jar package name apache Highest Product file name commons-net High Product jar package name pop3 Highest Product jar package name net Highest Product jar package name telnet Highest Product Manifest bundle-docurl http://commons.apache.org/net/ Low Product pom name Commons Net High Product Manifest bundle-symbolicname org.apache.commons.net Medium Product jar package name smtp Highest Product gradle artifactid commons-net Highest Product jar package name nntp Highest Product Manifest implementation-build tags/NET_3_1_RC2@r1244108; 2012-02-14 17:45:12+0000 Low Product jar package name commons Highest Product jar package name finger Highest Product pom groupid commons-net Highest Product Manifest Bundle-Name Commons Net Medium Product pom parent-groupid org.apache.commons Medium Product Manifest Implementation-Title Commons Net High Product Manifest specification-title Commons Net Medium Product pom url http://commons.apache.org/net/ Medium Version file version 3.1 High Version pom parent-version 3.1 Low Version pom version 3.1 Highest Version Manifest Implementation-Version 3.1 High Version gradle version 3.1 Highest
commons-pool2-2.6.1.jarDescription:
The Apache Commons Object Pooling Library. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-pool2/2.6.1/4a285ecdea96fd7b621091b334224c527ae420fb/commons-pool2-2.6.1.jar
MD5: 52f8f610a5d832a7edba51b7b77d1717
SHA1: 4a285ecdea96fd7b621091b334224c527ae420fb
SHA256: e2d6f4084f8a180de66c7700343fe8ad3a0aa84f2cb0561edb417fe1fd41aa15
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-pool/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-pool2 Medium Vendor Manifest implementation-build release@rd8524d285c22e0d81a5e7a7cf6549ebc18cd62f6; 2019-02-09 18:42:40+0000 Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://commons.apache.org/proper/commons-pool/ Highest Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor Manifest implementation-url http://commons.apache.org/proper/commons-pool/ Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor pom groupid apache.commons Highest Vendor pom artifactid commons-pool2 Low Vendor jar package name pool2 Highest Vendor file name commons-pool2 High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom name Apache Commons Pool High Product Manifest bundle-docurl http://commons.apache.org/proper/commons-pool/ Low Product Manifest bundle-symbolicname org.apache.commons.commons-pool2 Medium Product Manifest implementation-build release@rd8524d285c22e0d81a5e7a7cf6549ebc18cd62f6; 2019-02-09 18:42:40+0000 Low Product pom artifactid commons-pool2 Highest Product Manifest Implementation-Title Apache Commons Pool High Product pom url http://commons.apache.org/proper/commons-pool/ Medium Product Manifest specification-title Apache Commons Pool Medium Product pom parent-artifactid commons-parent Medium Product Manifest Bundle-Name Apache Commons Pool Medium Product jar package name commons Highest Product jar package name apache Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-pool/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom parent-groupid org.apache.commons Medium Product gradle artifactid commons-pool2 Highest Product pom groupid apache.commons Highest Product jar package name pool2 Highest Product file name commons-pool2 High Product pom name Apache Commons Pool High Version Manifest Implementation-Version 2.6.1 High Version pom parent-version 2.6.1 Low Version gradle version 2.6.1 Highest Version file version 2.6.1 High Version pom version 2.6.1 Highest Version Manifest Bundle-Version 2.6.1 High
commons-pool2-2.6.2.jarDescription:
The Apache Commons Object Pooling Library. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-pool2/2.6.2/775a8072995b29eafe8fb0a828a190589f71cede/commons-pool2-2.6.2.jar
MD5: 696197d79439773526f300b1a5eb38c9
SHA1: 775a8072995b29eafe8fb0a828a190589f71cede
SHA256: 689091759a3a4d8da3be38480e3df3fbcb3c3c9d81811d40cb64c56ae62e68f7
Referenced In Projects/Scopes: calcite:sqllineClasspath redis:compileClasspath redis:default redis:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-pool/ Low Vendor Manifest bundle-symbolicname org.apache.commons.commons-pool2 Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://commons.apache.org/proper/commons-pool/ Highest Vendor Manifest implementation-build release@r06de412e2ce72007a6e43112164c371de4a66d3b; 2019-04-06 01:16:08+0000 Low Vendor gradle groupid org.apache.commons Highest Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor Manifest implementation-url http://commons.apache.org/proper/commons-pool/ Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor pom groupid apache.commons Highest Vendor pom artifactid commons-pool2 Low Vendor jar package name pool2 Highest Vendor file name commons-pool2 High Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom name Apache Commons Pool High Product Manifest bundle-docurl http://commons.apache.org/proper/commons-pool/ Low Product Manifest bundle-symbolicname org.apache.commons.commons-pool2 Medium Product pom artifactid commons-pool2 Highest Product Manifest Implementation-Title Apache Commons Pool High Product pom url http://commons.apache.org/proper/commons-pool/ Medium Product Manifest specification-title Apache Commons Pool Medium Product pom parent-artifactid commons-parent Medium Product Manifest Bundle-Name Apache Commons Pool Medium Product Manifest implementation-build release@r06de412e2ce72007a6e43112164c371de4a66d3b; 2019-04-06 01:16:08+0000 Low Product jar package name commons Highest Product jar package name apache Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-pool/ Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom parent-groupid org.apache.commons Medium Product gradle artifactid commons-pool2 Highest Product pom groupid apache.commons Highest Product jar package name pool2 Highest Product file name commons-pool2 High Product pom name Apache Commons Pool High Version gradle version 2.6.2 Highest Version pom parent-version 2.6.2 Low Version Manifest Implementation-Version 2.6.2 High Version file version 2.6.2 High Version Manifest Bundle-Version 2.6.2 High Version pom version 2.6.2 Highest
commons-validator-1.6.jarDescription:
Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/commons-validator/commons-validator/1.6/e989d1e87cdd60575df0765ed5bac65c905d7908/commons-validator-1.6.jar
MD5: 3fd5efd8dcdd601035c123638a897833
SHA1: e989d1e87cdd60575df0765ed5bac65c905d7908
SHA256: bd62795d7068a69cbea333f6dbf9c9c1a6ad7521443fb57202a44874f240ba25
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://commons.apache.org/proper/commons-validator/ Low Vendor pom artifactid commons-validator Low Vendor pom name Apache Commons Validator High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-symbolicname org.apache.commons.validator Medium Vendor pom url http://commons.apache.org/proper/commons-validator/ Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest implementation-build tags/VALIDATOR_1_6_RC1@r1783233; 2017-02-16 15:10:22+0000 Low Vendor file name commons-validator High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name commons Highest Vendor jar package name apache Highest Vendor Manifest implementation-url http://commons.apache.org/proper/commons-validator/ Low Vendor pom parent-groupid org.apache.commons Medium Vendor pom parent-artifactid commons-parent Low Vendor pom groupid commons-validator Highest Vendor jar package name validator Highest Vendor gradle groupid commons-validator Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Product Manifest bundle-docurl http://commons.apache.org/proper/commons-validator/ Low Product pom name Apache Commons Validator High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom url http://commons.apache.org/proper/commons-validator/ Medium Product Manifest bundle-symbolicname org.apache.commons.validator Medium Product gradle artifactid commons-validator Highest Product Manifest implementation-build tags/VALIDATOR_1_6_RC1@r1783233; 2017-02-16 15:10:22+0000 Low Product pom parent-artifactid commons-parent Medium Product file name commons-validator High Product pom artifactid commons-validator Highest Product Manifest specification-title Apache Commons Validator Medium Product jar package name commons Highest Product Manifest Implementation-Title Apache Commons Validator High Product jar package name apache Highest Product Manifest implementation-url http://commons.apache.org/proper/commons-validator/ Low Product pom parent-groupid org.apache.commons Medium Product pom groupid commons-validator Highest Product Manifest Bundle-Name Apache Commons Validator Medium Product jar package name validator Highest Version Manifest Implementation-Version 1.6 High Version pom version 1.6 Highest Version pom parent-version 1.6 Low Version gradle version 1.6 Highest Version file version 1.6 High
compress-lzf-1.0.3.jarDescription:
Compression codec for LZF encoding for particularly encoding/decoding, with reasonable compression.
Compressor is basic Lempel-Ziv codec, without Huffman (deflate/gzip) or statistical post-encoding.
See "http://oldhome.schmorp.de/marc/liblzf.html" for more on original LZF package.
License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.ning/compress-lzf/1.0.3/3e1495b0c532ebe58f1c8b1c5d9b3bdcc6c1504c/compress-lzf-1.0.3.jar
MD5: dc55ed6fe0bbad93bbf38331768ba1b4
SHA1: 3e1495b0c532ebe58f1c8b1c5d9b3bdcc6c1504c
SHA256: 6cf93bda1c2caf618652f97d2f36c883a5a9774345384c05d3593b173731bccd
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name ning Highest Vendor jar package name lzf Highest Vendor pom url http://github.com/ning/compress Highest Vendor gradle groupid com.ning Highest Vendor Manifest bundle-symbolicname com.ning.compress-lzf Medium Vendor pom groupid ning Highest Vendor file name compress-lzf High Vendor pom name Compress-LZF High Vendor pom artifactid compress-lzf Low Vendor jar package name compress Highest Vendor jar package name gzip Highest Product jar package name ning Highest Product pom url http://github.com/ning/compress Medium Product jar package name lzf Highest Product Manifest Bundle-Name Compress-LZF Medium Product pom artifactid compress-lzf Highest Product Manifest bundle-symbolicname com.ning.compress-lzf Medium Product file name compress-lzf High Product jar package name compress Highest Product gradle artifactid compress-lzf Highest Product pom groupid ning Highest Product pom name Compress-LZF High Product jar package name gzip Highest Version file version 1.0.3 High Version gradle version 1.0.3 Highest Version Manifest Bundle-Version 1.0.3 High Version pom version 1.0.3 Highest
core-3.1.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jdt/core/3.1.1/88c83ce444cf46d02494da37c9fa1eebc9ce9cea/core-3.1.1.jarMD5: 8672c6db44f6279a89ee1b3b4ac2ddeeSHA1: 88c83ce444cf46d02494da37c9fa1eebc9ce9ceaSHA256: f9e39cf7326b60d1d3016ed90fadc049f71d312c97aa97cbaaf851d6376730baReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name internal Low Vendor Manifest bundle-localization plugin Low Vendor gradle groupid org.eclipse.jdt Highest Vendor jar package name jdt Highest Vendor jar package name eclipse Low Vendor jar package name eclipse Highest Vendor file name core High Vendor Manifest bundle-symbolicname org.eclipse.jdt.core; singleton:=true Medium Vendor jar package name jdt Low Vendor jar package name core Highest Vendor Manifest require-bundle org.eclipse.core.resources,org.eclipse.core.runtime,org.eclipse.text,org.eclipse.team.core;resolution:=optional Low Vendor Manifest eclipse-autostart true Low Product jar package name internal Low Product gradle artifactid core Highest Product Manifest Bundle-Name %pluginName Medium Product Manifest bundle-localization plugin Low Product jar package name jdt Highest Product jar package name eclipse Highest Product file name core High Product Manifest bundle-symbolicname org.eclipse.jdt.core; singleton:=true Medium Product jar package name jdt Low Product jar package name core Highest Product Manifest require-bundle org.eclipse.core.resources,org.eclipse.core.runtime,org.eclipse.text,org.eclipse.team.core;resolution:=optional Low Product Manifest eclipse-autostart true Low Product jar package name core Low Version jar package name core Highest Version gradle version 3.1.1 Highest Version file version 3.1.1 High Version file name core Medium Version jar package name eclipse Highest Version Manifest Bundle-Version 3.1.1 High
core-3.1.1.jar: jdtCompilerAdapter.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jdt/core/3.1.1/88c83ce444cf46d02494da37c9fa1eebc9ce9cea/core-3.1.1.jar/jdtCompilerAdapter.jarMD5: 487fe5b1b0620b36569379eb247489cdSHA1: 91920f715d9654c149736a7f508eb5fc4e1747e1SHA256: 35732196f104ff29c208a345b67ca4da993fb2a7095a2419e674f350ab21e726Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor file name jdtCompilerAdapter High Vendor jar package name eclipse Low Vendor jar package name jdt Low Vendor jar package name core Low Product file name jdtCompilerAdapter High Product jar package name jdt Low Product jar package name core Low
curator-client-2.7.1.jarDescription:
Low-level API License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.curator/curator-client/2.7.1/a591dfc085db3e9d4d480381cc7e6ae8a26b34af/curator-client-2.7.1.jar
MD5: 3b43933c18d1dcf15f88db73ee646396
SHA1: a591dfc085db3e9d4d480381cc7e6ae8a26b34af
SHA256: 949ac95323bb13b4d9cde33ab1ca73f07a87e6e43cf76629e89fdd74d5b378e4
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-artifactid apache-curator Low Vendor Manifest bundle-symbolicname curator-client Medium Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.curator Medium Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor pom artifactid curator-client Low Vendor file name curator-client High Vendor pom groupid apache.curator Highest Vendor gradle groupid org.apache.curator Highest Vendor jar package name curator Highest Vendor pom name Curator Client High Product Manifest bundle-symbolicname curator-client Medium Product jar package name curator Highest Product pom name Curator Client High Product jar package name apache Highest Product pom parent-groupid org.apache.curator Medium Product Manifest bundle-docurl http://www.apache.org/ Low Product file name curator-client High Product Manifest Bundle-Name Curator Client Medium Product pom groupid apache.curator Highest Product pom parent-artifactid apache-curator Medium Product gradle artifactid curator-client Highest Product pom artifactid curator-client Highest Version file version 2.7.1 High Version Manifest Bundle-Version 2.7.1 High Version pom version 2.7.1 Highest Version gradle version 2.7.1 Highest
curator-framework-2.7.1.jarDescription:
High-level API that greatly simplifies using ZooKeeper. License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.curator/curator-framework/2.7.1/8c7b1eeb78e43bb91ea737111ba3dec0512be876/curator-framework-2.7.1.jar
MD5: 35bff30d2a79a8b0731269604b1327ee
SHA1: 8c7b1eeb78e43bb91ea737111ba3dec0512be876
SHA256: a65e3f515b022d84d86c553c99216e384bc82d1de51b5a32b10f33314ad81ceb
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid curator-framework Low Vendor Manifest bundle-symbolicname curator-framework Medium Vendor gradle groupid org.apache.curator Highest Vendor jar package name curator Highest Vendor pom parent-artifactid apache-curator Low Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.curator Medium Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor jar package name framework Highest Vendor pom groupid apache.curator Highest Vendor jar package name api Highest Vendor file name curator-framework High Vendor pom name Curator Framework High Product Manifest bundle-symbolicname curator-framework Medium Product gradle artifactid curator-framework Highest Product jar package name curator Highest Product Manifest Bundle-Name Curator Framework Medium Product pom artifactid curator-framework Highest Product jar package name apache Highest Product pom parent-groupid org.apache.curator Medium Product Manifest bundle-docurl http://www.apache.org/ Low Product jar package name framework Highest Product pom groupid apache.curator Highest Product jar package name api Highest Product pom parent-artifactid apache-curator Medium Product file name curator-framework High Product pom name Curator Framework High Version file version 2.7.1 High Version Manifest Bundle-Version 2.7.1 High Version pom version 2.7.1 Highest Version gradle version 2.7.1 Highest
curator-recipes-2.7.1.jarDescription:
All of the recipes listed on the ZooKeeper recipes doc (except two phase commit). License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.curator/curator-recipes/2.7.1/a2c180efc6a38a4f8c9197eb35bb4eb5716cd2fa/curator-recipes-2.7.1.jar
MD5: 156ad30fb9995b072175ae60fbb352a5
SHA1: a2c180efc6a38a4f8c9197eb35bb4eb5716cd2fa
SHA256: ce122f137e36268e30082bf1565c51d874ca926801be3ca73b3c0d522b0dfe2c
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.curator Highest Vendor pom artifactid curator-recipes Low Vendor jar package name curator Highest Vendor pom parent-artifactid apache-curator Low Vendor file name curator-recipes High Vendor jar package name apache Highest Vendor pom parent-groupid org.apache.curator Medium Vendor Manifest bundle-docurl http://www.apache.org/ Low Vendor pom name Curator Recipes High Vendor pom groupid apache.curator Highest Vendor jar package name recipes Highest Vendor Manifest bundle-symbolicname curator-recipes Medium Product jar package name curator Highest Product Manifest Bundle-Name Curator Recipes Medium Product gradle artifactid curator-recipes Highest Product file name curator-recipes High Product jar package name apache Highest Product pom parent-groupid org.apache.curator Medium Product Manifest bundle-docurl http://www.apache.org/ Low Product pom name Curator Recipes High Product pom groupid apache.curator Highest Product jar package name recipes Highest Product pom artifactid curator-recipes Highest Product pom parent-artifactid apache-curator Medium Product Manifest bundle-symbolicname curator-recipes Medium Version file version 2.7.1 High Version Manifest Bundle-Version 2.7.1 High Version pom version 2.7.1 Highest Version gradle version 2.7.1 Highest
elasticsearch-rest-client-7.0.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.elasticsearch.client/elasticsearch-rest-client/7.0.1/bc8c679f6e53a51a99190a7a3108ab760b24bbf5/elasticsearch-rest-client-7.0.1.jarMD5: c2be6e0386135cff4ded5764dc7af5ccSHA1: bc8c679f6e53a51a99190a7a3108ab760b24bbf5SHA256: 32630b808e3478cfbe1e52e81c3942f10cee251bec45bbb4b6c76253643db795Referenced In Projects/Scopes:
elasticsearch:compileClasspath calcite:sqllineClasspath elasticsearch:runtimeClasspath elasticsearch:default Evidence Type Source Name Value Confidence Vendor jar package name elasticsearch Low Vendor Manifest module-source /client/rest Low Vendor Manifest branch e4efcb53ec7a1f2138494c837def7c5a2aff0751 Low Vendor jar package name client Low Vendor Manifest x-compile-elasticsearch-snapshot false Low Vendor Manifest build-date 2019-04-29T12:56:48.518377Z Low Vendor gradle groupid org.elasticsearch.client Highest Vendor Manifest built-os Linux Low Vendor file name elasticsearch-rest-client High Vendor Manifest change e4efcb5 Low Vendor Manifest module-origin elastic/elasticsearch.git Low Vendor Manifest built-status integration Low Product Manifest module-source /client/rest Low Product jar package name client Highest Product Manifest branch e4efcb53ec7a1f2138494c837def7c5a2aff0751 Low Product jar package name client Low Product Manifest x-compile-elasticsearch-snapshot false Low Product Manifest build-date 2019-04-29T12:56:48.518377Z Low Product jar package name elasticsearch Highest Product Manifest built-os Linux Low Product gradle artifactid elasticsearch-rest-client Highest Product Manifest Implementation-Title org.elasticsearch.client#rest;7.0.1 High Product file name elasticsearch-rest-client High Product Manifest change e4efcb5 Low Product Manifest module-origin elastic/elasticsearch.git Low Product Manifest built-status integration Low Version file version 7.0.1 High Version Manifest Implementation-Version 7.0.1 High
error_prone_annotations-2.3.2.jarLicense:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.errorprone/error_prone_annotations/2.3.2/d1a0c5032570e0f64be6b4d9c90cdeb103129029/error_prone_annotations-2.3.2.jar
MD5: 42c8312a7eb4b6ff612049c4f7b514a6
SHA1: d1a0c5032570e0f64be6b4d9c90cdeb103129029
SHA256: 357cd6cfb067c969226c442451502aee13800a24e950fdfde77bcdb4565a668d
Referenced In Projects/Scopes: splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor jar package name google Highest Vendor gradle groupid com.google.errorprone Highest Vendor jar package name errorprone Highest Vendor jar package name annotations Low Vendor file name error_prone_annotations High Vendor jar package name google Low Vendor jar package name annotations Highest Vendor pom groupid google.errorprone Highest Vendor pom artifactid error_prone_annotations Low Vendor pom parent-artifactid error_prone_parent Low Vendor jar package name errorprone Low Vendor pom name error-prone annotations High Vendor pom parent-groupid com.google.errorprone Medium Product jar package name google Highest Product jar package name errorprone Highest Product jar package name annotations Low Product gradle artifactid error_prone_annotations Highest Product file name error_prone_annotations High Product pom parent-artifactid error_prone_parent Medium Product jar package name annotations Highest Product pom groupid google.errorprone Highest Product jar package name errorprone Low Product pom name error-prone annotations High Product pom artifactid error_prone_annotations Highest Product pom parent-groupid com.google.errorprone Medium Version file version 2.3.2 High Version gradle version 2.3.2 Highest Version pom version 2.3.2 Highest
error_prone_annotations-2.5.1.jarLicense:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.errorprone/error_prone_annotations/2.5.1/562d366678b89ce5d6b6b82c1a073880341e3fba/error_prone_annotations-2.5.1.jar
MD5: 2bf3239388cf5c817cd83ecb692b045f
SHA1: 562d366678b89ce5d6b6b82c1a073880341e3fba
SHA256: ff80626baaf12a09342befd4e84cba9d50662f5fcd7f7a9b3490a6b7cf87e66c
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name google Highest Vendor file name error_prone_annotations High Vendor jar package name annotations Highest Vendor pom groupid google.errorprone Highest Vendor pom artifactid error_prone_annotations Low Vendor gradle groupid com.google.errorprone Highest Vendor pom parent-artifactid error_prone_parent Low Vendor pom name error-prone annotations High Vendor jar package name errorprone Highest Vendor pom parent-groupid com.google.errorprone Medium Vendor Manifest automatic-module-name com.google.errorprone.annotations Medium Product gradle artifactid error_prone_annotations Highest Product jar package name google Highest Product file name error_prone_annotations High Product pom parent-artifactid error_prone_parent Medium Product jar package name annotations Highest Product pom groupid google.errorprone Highest Product pom name error-prone annotations High Product pom artifactid error_prone_annotations Highest Product jar package name errorprone Highest Product pom parent-groupid com.google.errorprone Medium Product Manifest automatic-module-name com.google.errorprone.annotations Medium Version file version 2.5.1 High Version pom version 2.5.1 Highest Version gradle version 2.5.1 Highest
esri-geometry-api-2.2.0.jarDescription:
The Esri Geometry API for Java enables developers to write custom applications for analysis of spatial data. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esri.geometry/esri-geometry-api/2.2.0/2663f80d28c2470630a996464d6130b2809c9dbe/esri-geometry-api-2.2.0.jar
MD5: 613f8c19da02c4256815a85f3d4bbb1e
SHA1: 2663f80d28c2470630a996464d6130b2809c9dbe
SHA256: 08e6f65d3658ee0c199fcf5cf552c5b4e1095d5c60c9e683b27f29e53e219f60
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath druid:compileClasspath plus:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom groupid esri.geometry Highest Vendor pom artifactid esri-geometry-api Low Vendor jar package name esri Highest Vendor jar package name geometry Highest Vendor pom name Esri Geometry API for Java High Vendor pom url Esri/geometry-api-java Highest Vendor jar package name esri Low Vendor gradle groupid com.esri.geometry Highest Vendor file name esri-geometry-api High Vendor jar package name geometry Low Vendor jar package name core Low Product pom groupid esri.geometry Highest Product pom artifactid esri-geometry-api Highest Product gradle artifactid esri-geometry-api Highest Product jar package name esri Highest Product jar package name geometry Highest Product pom name Esri Geometry API for Java High Product file name esri-geometry-api High Product pom url Esri/geometry-api-java High Product jar package name geometry Low Product jar package name core Low Version gradle version 2.2.0 Highest Version file version 2.2.0 High Version pom version 2.2.0 Highest
failureaccess-1.0.1.jarDescription:
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes is conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/failureaccess/1.0.1/1dcf1de382a0bf95a3d8b0849546c88bac1292c9/failureaccess-1.0.1.jar
MD5: 091883993ef5bfa91da01dcc8fc52236
SHA1: 1dcf1de382a0bf95a3d8b0849546c88bac1292c9
SHA256: a171ee4c734dd2da837e4b16be9df4661afab72a41adaf31eb84dfdaf936ca26
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath splunk:checkstyle calcite:checkstyle piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath function:checkstyle server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:checkstyle druid:compileClasspath plus:compileClasspath csv:checkstyle linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath core:checkstyle function:default file:compileClasspath core:implementationDependenciesMetadata file:checkstyle kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default geode:checkstyle kafka:compileClasspath druid:runtimeClasspath mongodb:checkstyle elasticsearch:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle mongodb:default cassandra:default innodb:checkstyle cassandra:checkstyle piglet:checkstyle bom:checkstyle babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath spark:checkstyle plus:checkstyle core:default function:compileClasspath pig:checkstyle elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath server:checkstyle csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath release:checkstyle file:default server:default kafka:checkstyle ubenchmark:checkstyle ubenchmark:jmhCompileClasspath example:checkstyle pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name google Highest Vendor pom name Guava InternalFutureFailureAccess and InternalFutures High Vendor jar package name common Highest Vendor Manifest bundle-symbolicname com.google.guava.failureaccess Medium Vendor gradle groupid com.google.guava Highest Vendor pom artifactid failureaccess Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor jar package name concurrent Highest Vendor jar package name util Highest Vendor file name failureaccess High Vendor pom groupid google.guava Highest Vendor pom parent-groupid com.google.guava Medium Vendor pom parent-artifactid guava-parent Low Vendor Manifest bundle-docurl https://github.com/google/guava/ Low Product jar package name google Highest Product pom name Guava InternalFutureFailureAccess and InternalFutures High Product pom artifactid failureaccess Highest Product jar package name common Highest Product gradle artifactid failureaccess Highest Product Manifest bundle-symbolicname com.google.guava.failureaccess Medium Product pom parent-artifactid guava-parent Medium Product jar package name concurrent Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product jar package name util Highest Product file name failureaccess High Product pom groupid google.guava Highest Product pom parent-groupid com.google.guava Medium Product Manifest Bundle-Name Guava InternalFutureFailureAccess and InternalFutures Medium Product Manifest bundle-docurl https://github.com/google/guava/ Low Version file version 1.0.1 High Version pom parent-version 1.0.1 Low Version Manifest Bundle-Version 1.0.1 High Version pom version 1.0.1 Highest Version gradle version 1.0.1 Highest
fastutil-8.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/it.unimi.dsi/fastutil/8.2.2/975aab42e32a96ecb9696971a87c87a049055452/fastutil-8.2.2.jarMD5: c8f4236df0f16a8125b415eb4371c0ddSHA1: 975aab42e32a96ecb9696971a87c87a049055452SHA256: a6492bd60e4a93c3e302c00291497696bf6d2f927eacaff11cb4fa336dfd5097Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name it Highest Vendor gradle groupid it.unimi.dsi Highest Vendor jar package name fastutil Highest Vendor jar package name dsi Highest Vendor jar package name unimi Low Vendor file name fastutil High Vendor Manifest bundle-symbolicname it.unimi.dsi.fastutil Medium Vendor jar package name dsi Low Vendor jar package name it Low Vendor Manifest automatic-module-name it.unimi.dsi.fastutil Medium Vendor jar package name unimi Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name it Highest Product Manifest Bundle-Name it.unimi.dsi.fastutil Medium Product jar package name fastutil Low Product jar package name fastutil Highest Product jar package name dsi Highest Product jar package name unimi Low Product file name fastutil High Product Manifest bundle-symbolicname it.unimi.dsi.fastutil Medium Product jar package name dsi Low Product gradle artifactid fastutil Highest Product Manifest automatic-module-name it.unimi.dsi.fastutil Medium Product jar package name unimi Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Version file name fastutil Medium Version gradle version 8.2.2 Highest Version file version 8.2.2 High Version Manifest Bundle-Version 8.2.2 High
findbugs-annotations-1.3.9-1.jarDescription:
A clean room implementation of the Findbugs Annotations based entirely on the specification provided
by the javadocs and at http://findbugs.sourceforge.net/manual/annotations.html.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.stephenc.findbugs/findbugs-annotations/1.3.9-1/a6b11447635d80757d64b355bed3c00786d86801/findbugs-annotations-1.3.9-1.jar
MD5: 70fda5202eb9d9ce4f250f2c2ba71152
SHA1: a6b11447635d80757d64b355bed3c00786d86801
SHA256: 1e651066ed9ae35d7e3001d635d1dbba1c2965db0e4e33e2c14ad610543f225c
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid findbugs-annotations Low Vendor jar package name edu Low Vendor gradle groupid com.github.stephenc.findbugs Highest Vendor pom groupid github.stephenc.findbugs Highest Vendor pom name Findbugs Annotations under Apache License High Vendor pom url http://stephenc.github.com/findbugs-annotations Highest Vendor jar package name cs Low Vendor jar package name findbugs Highest Vendor jar package name umd Low Vendor file name findbugs-annotations High Product pom artifactid findbugs-annotations Highest Product gradle artifactid findbugs-annotations Highest Product pom groupid github.stephenc.findbugs Highest Product pom name Findbugs Annotations under Apache License High Product jar package name cs Low Product jar package name findbugs Highest Product jar package name umd Low Product pom url http://stephenc.github.com/findbugs-annotations Medium Product jar package name findbugs Low Product file name findbugs-annotations High Version pom version 1.3.9-1 Highest Version gradle version 1.3.9-1 Highest
fmpp-0.9.16.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sourceforge.fmpp/fmpp/0.9.16/e113af0e1b2b81058980d63b13a810e42036207e/fmpp-0.9.16.jarMD5: c45c2da08ca71c7a1bd71af7b622b578SHA1: e113af0e1b2b81058980d63b13a810e42036207eSHA256: 16ec342bd8f7600f6823445b59c82475fc3cb00e72e81f2c998f208529e41ecdReferenced In Projects/Scopes:
babel:fmppClaspath server:fmppClaspath core:fmppClaspath Evidence Type Source Name Value Confidence Vendor file name fmpp High Vendor jar package name fmpp Highest Vendor Manifest specification-vendor Dániel Dékány Low Vendor gradle groupid net.sourceforge.fmpp Highest Vendor Manifest extension-name fmpp Medium Vendor Manifest Implementation-Vendor Dániel Dékány High Vendor jar package name fmpp Low Product file name fmpp High Product gradle artifactid fmpp Highest Product jar package name fmpp Highest Product Manifest Implementation-Title FMPP High Product Manifest extension-name fmpp Medium Product Manifest specification-title FMPP Medium Version file version 0.9.16 High Version Manifest Implementation-Version 0.9.16 High
foodmart-data-hsqldb-0.3.jarDescription:
Foodmart data set in hsqldb format License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/foodmart-data-hsqldb/0.3/137a80234659c23c12149bb5bfb998f8c409dee4/foodmart-data-hsqldb-0.3.jar
MD5: b8476326acbcbdd9850e8e89be99b761
SHA1: 137a80234659c23c12149bb5bfb998f8c409dee4
SHA256: 6b885d71074756360052030f3dac0b87f7b20ef0b6fc3710dc388f78fd4eff79
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor jar package name foodmart Low Vendor jar package name net Highest Vendor jar package name hydromatic Highest Vendor jar package name data Highest Vendor pom organization url http://www.hydromatic.net Medium Vendor gradle groupid net.hydromatic Highest Vendor pom groupid net.hydromatic Highest Vendor pom name foodmart-data-hsqldb High Vendor pom parent-artifactid parent Low Vendor pom url http://github.com/julianhyde/foodmart-data-hsqldb Highest Vendor jar package name foodmart Highest Vendor pom artifactid foodmart-data-hsqldb Low Vendor jar package name net Low Vendor pom organization name Julian Hyde High Vendor file name foodmart-data-hsqldb High Vendor jar package name hydromatic Low Product pom parent-artifactid parent Medium Product pom organization name Julian Hyde Low Product jar package name foodmart Low Product jar package name net Highest Product jar package name hydromatic Highest Product pom artifactid foodmart-data-hsqldb Highest Product jar package name data Highest Product gradle artifactid foodmart-data-hsqldb Highest Product pom groupid net.hydromatic Highest Product pom name foodmart-data-hsqldb High Product pom url http://github.com/julianhyde/foodmart-data-hsqldb Medium Product jar package name foodmart Highest Product file name foodmart-data-hsqldb High Product jar package name hydromatic Low Product pom organization url http://www.hydromatic.net Low Product jar package name data Low Version pom parent-version 0.3 Low Version pom version 0.3 Highest Version gradle version 0.3 Highest Version file version 0.3 High
freemarker-2.3.29.jarLicense:
Apache License, Version 2.0; see: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.freemarker/freemarker/2.3.29/46005eeee02e4458520c85d0bcf5001467b053c3/freemarker-2.3.29.jar
MD5: e7b12d592512f9a0a2712112f67ef4f3
SHA1: 46005eeee02e4458520c85d0bcf5001467b053c3
SHA256: ce9ffbcd065cbce1d5bf295755965167cdbaea4d13039a09e842cea32f0d7655
Referenced In Projects/Scopes: babel:fmppClaspath server:fmppClaspath core:fmppClaspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor freemarker.org High Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8, JavaSE-1.7, JavaSE-1.6, J2SE-1.5 Low Vendor file name freemarker High Vendor gradle groupid org.freemarker Highest Vendor Manifest bundle-symbolicname org.freemarker.freemarker Medium Vendor Manifest specification-vendor freemarker.org Low Vendor jar package name freemarker Highest Vendor Manifest extension-name FreeMarker Medium Vendor jar package name freemarker Low Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8, JavaSE-1.7, JavaSE-1.6, J2SE-1.5 Low Product file name freemarker High Product Manifest bundle-symbolicname org.freemarker.freemarker Medium Product Manifest Bundle-Name org.freemarker.freemarker Medium Product jar package name freemarker Highest Product Manifest Implementation-Title FreeMarker High Product gradle artifactid freemarker Highest Product Manifest extension-name FreeMarker Medium Product Manifest specification-title FreeMarker Medium Version Manifest Implementation-Version 2.3.29 High Version file version 2.3.29 High
geode-common-1.10.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.geode/geode-common/1.10.0/543800f90965b8fd58a84cff400ba7c991afff1d/geode-common-1.10.0.jarMD5: dac7e5c30e38168fee80867d5200563eSHA1: 543800f90965b8fd58a84cff400ba7c991afff1dSHA256: c124bf87b09c1d4eaacf65884a61015cdf4b1bfd7b37c3192c818c20f6527cc5Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name geode Low Vendor Manifest organization Apache Software Foundation (ASF) Low Vendor jar package name apache Low Vendor file name geode-common High Vendor gradle groupid org.apache.geode Highest Vendor jar package name annotations Low Product jar package name internal Low Product gradle artifactid geode-common Highest Product jar package name apache Highest Product jar package name geode Low Product Manifest organization Apache Software Foundation (ASF) Low Product Manifest title geode Medium Product jar package name geode Highest Product file name geode-common High Product jar package name annotations Low Version file name geode-common Medium Version gradle version 1.10.0 Highest Version jar package name apache Highest Version Manifest version 1.10.0 Medium Version file version 1.10.0 High
geode-core-1.10.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.geode/geode-core/1.10.0/81f925c18827b980a841224e0a93848f4d85c8f4/geode-core-1.10.0.jarMD5: 4dc0a799c77b4d62e6c42a1618615214SHA1: 81f925c18827b980a841224e0a93848f4d85c8f4SHA256: 10f9b5e868015b0ba93f3bbd1154764ebba561a0d35acac0c5788e41b96de541Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name geode-core High Vendor jar package name internal Low Vendor Manifest automatic-module-name org.apache.geode.core Medium Vendor jar package name apache Highest Vendor jar package name geode Low Vendor Manifest organization Apache Software Foundation (ASF) Low Vendor jar package name geode Highest Vendor jar package name apache Low Vendor gradle groupid org.apache.geode Highest Product file name geode-core High Product jar package name internal Low Product Manifest automatic-module-name org.apache.geode.core Medium Product jar package name apache Highest Product jar package name geode Low Product jar package name cache Low Product gradle artifactid geode-core Highest Product Manifest organization Apache Software Foundation (ASF) Low Product jar package name geode Highest Product Manifest title geode Medium Version gradle version 1.10.0 Highest Version jar package name apache Highest Version Manifest version 1.10.0 Medium Version file version 1.10.0 High Version file name geode-core Medium
geode-management-1.10.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.geode/geode-management/1.10.0/a7b4e3b15fd940f0fa5c78300be74f55ba0d3553/geode-management-1.10.0.jarMD5: 82428ca698555c2e3a53a35d105a02f4SHA1: a7b4e3b15fd940f0fa5c78300be74f55ba0d3553SHA256: 0407b7669278999826ea74a5522f0ba9669a8a07711b0b405de6c902c2bb08aaReferenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name geode Low Vendor file name geode-management High Vendor jar package name cache Low Vendor Manifest organization Apache Software Foundation (ASF) Low Vendor jar package name apache Low Vendor gradle groupid org.apache.geode Highest Product jar package name configuration Low Product jar package name apache Highest Product jar package name geode Low Product file name geode-management High Product jar package name cache Low Product Manifest organization Apache Software Foundation (ASF) Low Product Manifest title geode Medium Product jar package name geode Highest Product gradle artifactid geode-management Highest Version gradle version 1.10.0 Highest Version jar package name apache Highest Version Manifest version 1.10.0 Medium Version file version 1.10.0 High Version file name geode-management Medium
groovy-all-1.8.6.jarDescription:
Groovy Runtime File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/1.8.6/96a26bfa6e5aea2e3c46df44a19de93a2acd2366/groovy-all-1.8.6.jarMD5: 81898a6b6f02decf1f1a5d0a43fa0f2dSHA1: 96a26bfa6e5aea2e3c46df44a19de93a2acd2366SHA256: 69158647e58b7414735230a329ad5d3ef51936fcf0c3e4f195f3fec5f361c858Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name groovy Low Vendor Manifest bundle-symbolicname groovy-all Medium Vendor Manifest Implementation-Vendor The Codehaus High Vendor jar package name codehaus Low Vendor Manifest specification-vendor The Codehaus Low Vendor gradle groupid org.codehaus.groovy Highest Vendor file name groovy-all High Vendor jar package name groovy Highest Vendor jar package name codehaus Highest Vendor Manifest eclipse-lazystart true Low Vendor Manifest extension-name groovy Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest eclipse-buddypolicy dependent Low Vendor Manifest originally-created-by 22.0-b10 (Oracle Corporation) Low Product jar package name groovy Low Product Manifest bundle-symbolicname groovy-all Medium Product Manifest Bundle-Name Groovy Runtime Medium Product gradle artifactid groovy-all Highest Product file name groovy-all High Product jar package name groovy Highest Product jar package name runtime Highest Product Manifest specification-title Groovy: a powerful, dynamic language for the JVM Medium Product Manifest eclipse-lazystart true Low Product Manifest extension-name groovy Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest eclipse-buddypolicy dependent Low Product Manifest Implementation-Title Groovy: a powerful, dynamic language for the JVM High Product Manifest originally-created-by 22.0-b10 (Oracle Corporation) Low Version file version 1.8.6 High Version Manifest Implementation-Version 1.8.6 High
Published Vulnerabilities CVE-2015-3253 (OSSINDEX) suppress
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.groovy:groovy-all:1.8.6:*:*:*:*:*:*:* CVE-2016-6814 (OSSINDEX) suppress
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.groovy:groovy-all:1.8.6:*:*:*:*:*:*:* gson-2.2.4.jarDescription:
Google Gson library File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.2.4/a60a5e993c98c864010053cb901b7eab25306568/gson-2.2.4.jarMD5: 2f54fc24807a4cad7297012dd8cebf3dSHA1: a60a5e993c98c864010053cb901b7eab25306568SHA256: c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fbReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name internal Low Vendor jar package name google Highest Vendor jar package name google Low Vendor jar package name gson Low Vendor Manifest bundle-symbolicname com.google.gson Medium Vendor jar package name gson Highest Vendor file name gson High Vendor gradle groupid com.google.code.gson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor Manifest bundle-contactaddress http://code.google.com/p/google-gson/ Low Product jar package name internal Low Product jar package name google Highest Product jar package name gson Low Product jar package name gson Highest Product Manifest bundle-symbolicname com.google.gson Medium Product file name gson High Product gradle artifactid gson Highest Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest Bundle-Name Gson Medium Product Manifest bundle-contactaddress http://code.google.com/p/google-gson/ Low Version jar package name google Highest Version file version 2.2.4 High Version file name gson Medium Version jar package name gson Highest Version Manifest Bundle-Version 2.2.4 High Version gradle version 2.2.4 Highest
guava-28.1-jre.jarDescription:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.1-jre/b0e91dcb6a44ffb6221b5027e12a5cb34b841145/guava-28.1-jre.jar
MD5: 4faae794936faf441fcb7afb2c7db507
SHA1: b0e91dcb6a44ffb6221b5027e12a5cb34b841145
SHA256: 30beb8b8527bd07c6e747e77f1a92122c2f29d57ce347461a4a55eb26e382da4
Referenced In Projects/Scopes: splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor jar package name google Highest Vendor pom name Guava: Google Core Libraries for Java High Vendor jar package name common Highest Vendor gradle groupid com.google.guava Highest Vendor Manifest automatic-module-name com.google.common Medium Vendor pom artifactid guava Low Vendor file name guava High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid google.guava Highest Vendor Manifest bundle-symbolicname com.google.guava Medium Vendor pom parent-groupid com.google.guava Medium Vendor pom parent-artifactid guava-parent Low Vendor Manifest bundle-docurl https://github.com/google/guava/ Low Product jar package name google Highest Product pom name Guava: Google Core Libraries for Java High Product pom artifactid guava Highest Product jar package name common Highest Product gradle artifactid guava Highest Product Manifest Bundle-Name Guava: Google Core Libraries for Java Medium Product pom parent-artifactid guava-parent Medium Product Manifest automatic-module-name com.google.common Medium Product file name guava High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid google.guava Highest Product Manifest bundle-symbolicname com.google.guava Medium Product pom parent-groupid com.google.guava Medium Product Manifest bundle-docurl https://github.com/google/guava/ Low Version pom version 28.1-jre Highest Version gradle version 28.1-jre Highest
Published Vulnerabilities CVE-2020-8908 suppress
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
guava-29.0-jre.jarDescription:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/29.0-jre/801142b4c3d0f0770dd29abea50906cacfddd447/guava-29.0-jre.jar
MD5: c87962fe0522b105531f37fe351b3b0c
SHA1: 801142b4c3d0f0770dd29abea50906cacfddd447
SHA256: b22c5fb66d61e7b9522531d04b2f915b5158e80aa0b40ee7282c8bfb07b0da25
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name google Highest Vendor pom name Guava: Google Core Libraries for Java High Vendor jar package name common Highest Vendor gradle groupid com.google.guava Highest Vendor Manifest automatic-module-name com.google.common Medium Vendor pom artifactid guava Low Vendor file name guava High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid google.guava Highest Vendor Manifest bundle-symbolicname com.google.guava Medium Vendor pom parent-groupid com.google.guava Medium Vendor pom parent-artifactid guava-parent Low Vendor Manifest bundle-docurl https://github.com/google/guava/ Low Product jar package name google Highest Product pom name Guava: Google Core Libraries for Java High Product pom artifactid guava Highest Product jar package name common Highest Product gradle artifactid guava Highest Product Manifest Bundle-Name Guava: Google Core Libraries for Java Medium Product pom parent-artifactid guava-parent Medium Product Manifest automatic-module-name com.google.common Medium Product file name guava High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid google.guava Highest Product Manifest bundle-symbolicname com.google.guava Medium Product pom parent-groupid com.google.guava Medium Product Manifest bundle-docurl https://github.com/google/guava/ Low Version gradle version 29.0-jre Highest Version pom version 29.0-jre Highest
Published Vulnerabilities CVE-2020-8908 suppress
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
guice-3.0.jarDescription:
Guice is a lightweight dependency injection framework for Java 5 and above License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.inject/guice/3.0/9d84f15fe35e2c716a02979fb62f50a29f38aefa/guice-3.0.jar
MD5: ca1c7ba366884cfcd2cfb48d2395c400
SHA1: 9d84f15fe35e2c716a02979fb62f50a29f38aefa
SHA256: 1a59d0421ffd355cc0b70b42df1c2e9af744c8a2d0c92da379f5fca2f07f1d22
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name internal Low Vendor file name guice High Vendor jar package name google Highest Vendor Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Vendor jar package name google Low Vendor jar package name inject Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Vendor Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Vendor Manifest bundle-symbolicname com.google.inject Medium Vendor jar package name inject Highest Vendor gradle groupid com.google.inject Highest Product jar package name internal Low Product file name guice High Product jar package name google Highest Product Manifest bundle-copyright Copyright (C) 2006 Google Inc. Low Product Manifest bundle-symbolicname com.google.inject Medium Product gradle artifactid guice Highest Product jar package name guice Highest Product jar package name dependency Highest Product jar package name inject Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5,JavaSE-1.6 Low Product Manifest bundle-docurl http://code.google.com/p/google-guice/ Low Product jar package name inject Highest Product Manifest Bundle-Name guice Medium Version jar package name google Highest Version jar package name guice Highest Version file name guice Medium Version Manifest Bundle-Version 3.0.0 High Version gradle version 3.0 Highest Version file version 3.0 High Version Manifest bundle-copyright 2006 Low
hadoop-annotations-2.7.5.jarDescription:
Apache Hadoop Annotations File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-annotations/2.7.5/f0e097d895d40b7687cef16476efc50dfc010f4d/hadoop-annotations-2.7.5.jarMD5: 0e6dea0c894a3bdb9490089a7eb79888SHA1: f0e097d895d40b7687cef16476efc50dfc010f4dSHA256: 29e955edec12d708171616ea8b0c04e3aa7148d710207421a31ec0b763bc4144Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom artifactid hadoop-annotations Low Vendor jar package name apache Highest Vendor pom parent-artifactid hadoop-project Low Vendor jar package name classification Low Vendor file name hadoop-annotations High Vendor pom groupid apache.hadoop Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor pom name Apache Hadoop Annotations High Vendor jar package name hadoop Low Product pom parent-artifactid hadoop-project Medium Product jar package name apache Highest Product pom artifactid hadoop-annotations Highest Product jar package name classification Low Product file name hadoop-annotations High Product jar package name hadoop Highest Product pom groupid apache.hadoop Highest Product pom parent-groupid org.apache.hadoop Medium Product gradle artifactid hadoop-annotations Highest Product pom name Apache Hadoop Annotations High Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-auth-2.7.5.jarDescription:
Apache Hadoop Auth - Java HTTP SPNEGO File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-auth/2.7.5/36fce8096484404d1e5c28568710a7d158cc046e/hadoop-auth-2.7.5.jarMD5: 935ce77ef942edd52d8d96c115211a09SHA1: 36fce8096484404d1e5c28568710a7d158cc046eSHA256: 0a1fae74e2403c293f5aef9fd785730d74d182233c853bc4e6ae7ec936cd4ff2Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor jar package name security Low Vendor pom artifactid hadoop-auth Low Vendor jar package name apache Highest Vendor pom parent-artifactid hadoop-project Low Vendor pom name Apache Hadoop Auth High Vendor file name hadoop-auth High Vendor pom groupid apache.hadoop Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Product pom parent-artifactid hadoop-project Medium Product jar package name hadoop Highest Product jar package name security Low Product gradle artifactid hadoop-auth Highest Product jar package name apache Highest Product pom name Apache Hadoop Auth High Product jar package name authentication Low Product file name hadoop-auth High Product pom groupid apache.hadoop Highest Product pom parent-groupid org.apache.hadoop Medium Product jar package name hadoop Low Product pom artifactid hadoop-auth Highest Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-client-2.7.5.jarDescription:
Apache Hadoop Client File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-client/2.7.5/80bba794bfea1dd2bc98a35a6a6d1c29c49a5af4/hadoop-client-2.7.5.jarMD5: a2e6a613576cd2e0804311b6e26707cfSHA1: 80bba794bfea1dd2bc98a35a6a6d1c29c49a5af4SHA256: 217d1f4df6626383129c8513bc4706244e6aa3f5aa870f22be6052f2b92036f6Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name hadoop-client High Vendor gradle groupid org.apache.hadoop Highest Vendor pom groupid apache.hadoop Highest Vendor pom parent-groupid org.apache.hadoop Medium Vendor pom name Apache Hadoop Client High Vendor pom artifactid hadoop-client Low Vendor pom parent-artifactid hadoop-project-dist Low Product file name hadoop-client High Product gradle artifactid hadoop-client Highest Product pom artifactid hadoop-client Highest Product pom groupid apache.hadoop Highest Product pom parent-groupid org.apache.hadoop Medium Product pom parent-artifactid hadoop-project-dist Medium Product pom name Apache Hadoop Client High Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-common-2.7.5.jarDescription:
Apache Hadoop Common File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-common/2.7.5/6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4/hadoop-common-2.7.5.jarMD5: ecc80489e611d5691f9953b088542a4aSHA1: 6c480e12f6a9659d3cfad33f6edcd2e7f2d988c4SHA256: b7057a315dd6f699f787b89e56d4e2edaf149273e56ed93b414d7b1c3e4040abReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom groupid apache.hadoop Highest Vendor pom artifactid hadoop-common Low Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Vendor file name hadoop-common High Vendor pom parent-artifactid hadoop-project-dist Low Vendor pom name Apache Hadoop Common High Product gradle artifactid hadoop-common Highest Product jar package name apache Highest Product jar package name hadoop Highest Product pom artifactid hadoop-common Highest Product pom groupid apache.hadoop Highest Product pom parent-groupid org.apache.hadoop Medium Product pom parent-artifactid hadoop-project-dist Medium Product jar package name hadoop Low Product file name hadoop-common High Product pom name Apache Hadoop Common High Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-hdfs-2.7.5.jarDescription:
Apache Hadoop HDFS File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-hdfs/2.7.5/9580cb7c6ee9c3a71a4e540df2068c416a2796cf/hadoop-hdfs-2.7.5.jarMD5: 4cb1f6c8e8bc924f9ea2292fdeb839e7SHA1: 9580cb7c6ee9c3a71a4e540df2068c416a2796cfSHA256: ff06e3c3f35a999ab9d01e4789ecda0af447f355bcce72af3e4259a92a113b66Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name hadoop Highest Vendor pom artifactid hadoop-hdfs Low Vendor gradle groupid org.apache.hadoop Highest Vendor pom name Apache Hadoop HDFS High Vendor jar package name hdfs Highest Vendor pom parent-artifactid hadoop-project-dist Low Vendor jar package name hdfs Low Vendor jar package name apache Highest Vendor file name hadoop-hdfs High Vendor pom groupid apache.hadoop Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Product jar package name hadoop Highest Product pom name Apache Hadoop HDFS High Product jar package name hdfs Highest Product jar package name hdfs Low Product jar package name apache Highest Product file name hadoop-hdfs High Product pom groupid apache.hadoop Highest Product pom artifactid hadoop-hdfs Highest Product pom parent-groupid org.apache.hadoop Medium Product gradle artifactid hadoop-hdfs Highest Product pom parent-artifactid hadoop-project-dist Medium Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-mapreduce-client-app-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-app/2.7.5/d36794fda053b8a0d460091c96066b89f40efb18/hadoop-mapreduce-client-app-2.7.5.jarMD5: 7c88441dcae1f40da90c89ff0deb8941SHA1: d36794fda053b8a0d460091c96066b89f40efb18SHA256: 9a0e61a12ccf29426798e7b1dbf86f6c27b088867d24808e037de7843d18f895Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom name hadoop-mapreduce-client-app High Vendor jar package name apache Highest Vendor pom parent-artifactid hadoop-mapreduce-client Low Vendor jar package name mapreduce Highest Vendor pom groupid apache.hadoop Highest Vendor jar package name mapreduce Low Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor file name hadoop-mapreduce-client-app High Vendor jar package name hadoop Low Vendor pom artifactid hadoop-mapreduce-client-app Low Product pom artifactid hadoop-mapreduce-client-app Highest Product jar package name hadoop Highest Product pom parent-artifactid hadoop-mapreduce-client Medium Product gradle artifactid hadoop-mapreduce-client-app Highest Product pom name hadoop-mapreduce-client-app High Product jar package name apache Highest Product jar package name mapreduce Highest Product jar package name v2 Low Product pom groupid apache.hadoop Highest Product jar package name mapreduce Low Product pom parent-groupid org.apache.hadoop Medium Product file name hadoop-mapreduce-client-app High Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-mapreduce-client-common-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-common/2.7.5/e00e1bc28345ada3a895556ff7a938e86aff6de5/hadoop-mapreduce-client-common-2.7.5.jarMD5: a9e36e8a31413414e5795935e2b22f05SHA1: e00e1bc28345ada3a895556ff7a938e86aff6de5SHA256: 2225a2b624cbd24945453ddc549ea8f140f897c739d923f675b33927f790d333Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name hadoop-mapreduce-client-common High Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom name hadoop-mapreduce-client-common High Vendor jar package name apache Highest Vendor pom parent-artifactid hadoop-mapreduce-client Low Vendor jar package name mapreduce Highest Vendor pom groupid apache.hadoop Highest Vendor jar package name mapreduce Low Vendor pom artifactid hadoop-mapreduce-client-common Low Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Product file name hadoop-mapreduce-client-common High Product jar package name hadoop Highest Product gradle artifactid hadoop-mapreduce-client-common Highest Product pom parent-artifactid hadoop-mapreduce-client Medium Product pom name hadoop-mapreduce-client-common High Product jar package name apache Highest Product jar package name mapreduce Highest Product pom artifactid hadoop-mapreduce-client-common Highest Product jar package name v2 Low Product pom groupid apache.hadoop Highest Product jar package name mapreduce Low Product pom parent-groupid org.apache.hadoop Medium Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-mapreduce-client-core-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-core/2.7.5/9897775c6c58d0d36692cca81851f6566bf2461c/hadoop-mapreduce-client-core-2.7.5.jarMD5: 8d6eed0f8af6cb762aa949e28d309355SHA1: 9897775c6c58d0d36692cca81851f6566bf2461cSHA256: d125e74720f07be8d7c5792d1448cd81afbbf8e94b02c52adac57cb1c1ff80b0Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom artifactid hadoop-mapreduce-client-core Low Vendor file name hadoop-mapreduce-client-core High Vendor jar package name apache Highest Vendor pom parent-artifactid hadoop-mapreduce-client Low Vendor jar package name mapreduce Highest Vendor pom groupid apache.hadoop Highest Vendor jar package name mapreduce Low Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor pom name hadoop-mapreduce-client-core High Vendor jar package name hadoop Low Product jar package name hadoop Highest Product pom parent-artifactid hadoop-mapreduce-client Medium Product file name hadoop-mapreduce-client-core High Product jar package name apache Highest Product gradle artifactid hadoop-mapreduce-client-core Highest Product jar package name mapreduce Highest Product pom artifactid hadoop-mapreduce-client-core Highest Product pom groupid apache.hadoop Highest Product jar package name mapreduce Low Product pom parent-groupid org.apache.hadoop Medium Product pom name hadoop-mapreduce-client-core High Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-mapreduce-client-jobclient-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-jobclient/2.7.5/3cb2761a5532223834eb920b79d71a90b941fffb/hadoop-mapreduce-client-jobclient-2.7.5.jarMD5: 74383f3a8e972a2c0a94c05c8b4f24feSHA1: 3cb2761a5532223834eb920b79d71a90b941fffbSHA256: 8e82ee8e00211763818f1dc174a0b19ea0f9ef10f447acf1e91636bde0221d38Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom artifactid hadoop-mapreduce-client-jobclient Low Vendor pom name hadoop-mapreduce-client-jobclient High Vendor jar package name apache Highest Vendor pom parent-artifactid hadoop-mapreduce-client Low Vendor file name hadoop-mapreduce-client-jobclient High Vendor pom groupid apache.hadoop Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name mapred Low Vendor jar package name hadoop Low Product gradle artifactid hadoop-mapreduce-client-jobclient Highest Product jar package name apache Highest Product file name hadoop-mapreduce-client-jobclient High Product jar package name hadoop Highest Product pom name hadoop-mapreduce-client-jobclient High Product pom groupid apache.hadoop Highest Product pom parent-artifactid hadoop-mapreduce-client Medium Product pom parent-groupid org.apache.hadoop Medium Product jar package name mapred Low Product jar package name hadoop Low Product pom artifactid hadoop-mapreduce-client-jobclient Highest Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-mapreduce-client-shuffle-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-mapreduce-client-shuffle/2.7.5/4deb0392a666f5f9e65af7458305d78099de8a19/hadoop-mapreduce-client-shuffle-2.7.5.jarMD5: ba50093ef464d426d637cfb0061f1ab4SHA1: 4deb0392a666f5f9e65af7458305d78099de8a19SHA256: 2f15ee20fa8158fe04e0fa3104e5095a54a881abfcea856ce58c23717d2fa456Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor file name hadoop-mapreduce-client-shuffle High Vendor pom artifactid hadoop-mapreduce-client-shuffle Low Vendor jar package name apache Highest Vendor pom parent-artifactid hadoop-mapreduce-client Low Vendor pom groupid apache.hadoop Highest Vendor pom name hadoop-mapreduce-client-shuffle High Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name mapred Low Vendor jar package name hadoop Low Product jar package name apache Highest Product pom artifactid hadoop-mapreduce-client-shuffle Highest Product jar package name hadoop Highest Product pom groupid apache.hadoop Highest Product gradle artifactid hadoop-mapreduce-client-shuffle Highest Product pom parent-artifactid hadoop-mapreduce-client Medium Product pom name hadoop-mapreduce-client-shuffle High Product file name hadoop-mapreduce-client-shuffle High Product pom parent-groupid org.apache.hadoop Medium Product jar package name mapred Low Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-yarn-api-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-api/2.7.5/7a78260a7a750bedb5019a58227f356d46caf829/hadoop-yarn-api-2.7.5.jarMD5: 15e76f7c734b49315ef2bce952509ddfSHA1: 7a78260a7a750bedb5019a58227f356d46caf829SHA256: 8ea58e3798d6b208fc29b56965788f5dbefd94514fd49331696ec8d85bf7077eReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-artifactid hadoop-yarn Low Vendor jar package name yarn Low Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom name hadoop-yarn-api High Vendor jar package name apache Highest Vendor jar package name yarn Highest Vendor pom groupid apache.hadoop Highest Vendor file name hadoop-yarn-api High Vendor jar package name api Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Vendor pom artifactid hadoop-yarn-api Low Product jar package name proto Low Product jar package name yarn Low Product jar package name hadoop Highest Product gradle artifactid hadoop-yarn-api Highest Product pom name hadoop-yarn-api High Product jar package name apache Highest Product jar package name yarn Highest Product pom parent-artifactid hadoop-yarn Medium Product pom artifactid hadoop-yarn-api Highest Product pom groupid apache.hadoop Highest Product file name hadoop-yarn-api High Product jar package name api Highest Product pom parent-groupid org.apache.hadoop Medium Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-yarn-client-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-client/2.7.5/fef50595a9f088e9e410f22cd5894c607a804ecd/hadoop-yarn-client-2.7.5.jarMD5: 2bf65a5f66646be45358c4fa36a8a25fSHA1: fef50595a9f088e9e410f22cd5894c607a804ecdSHA256: 56dcc4815eaf58bff2bd51e1a24ffbab3e9e11f28a1746270fa50038aa33e94cReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-artifactid hadoop-yarn Low Vendor jar package name yarn Low Vendor jar package name hadoop Highest Vendor pom artifactid hadoop-yarn-client Low Vendor pom name hadoop-yarn-client High Vendor gradle groupid org.apache.hadoop Highest Vendor jar package name client Highest Vendor file name hadoop-yarn-client High Vendor jar package name apache Highest Vendor jar package name yarn Highest Vendor pom groupid apache.hadoop Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Product jar package name yarn Low Product jar package name hadoop Highest Product pom name hadoop-yarn-client High Product jar package name client Highest Product file name hadoop-yarn-client High Product pom artifactid hadoop-yarn-client Highest Product jar package name client Low Product jar package name apache Highest Product jar package name yarn Highest Product pom parent-artifactid hadoop-yarn Medium Product gradle artifactid hadoop-yarn-client Highest Product pom groupid apache.hadoop Highest Product pom parent-groupid org.apache.hadoop Medium Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-yarn-common-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jarMD5: 509be5651b2ff8951dd5e9decdf4cf7fSHA1: b642449750a8d0a51c4310b19264209e0e5c0fe9SHA256: 2b104b70833cb6f97fcfe9555a93e43f0942068a3e1137a6adbf9d4c0ebbd539Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-artifactid hadoop-yarn Low Vendor jar package name yarn Low Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom artifactid hadoop-yarn-common Low Vendor pom name hadoop-yarn-common High Vendor file name hadoop-yarn-common High Vendor jar package name apache Highest Vendor jar package name yarn Highest Vendor pom groupid apache.hadoop Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Product jar package name yarn Low Product jar package name hadoop Highest Product pom name hadoop-yarn-common High Product file name hadoop-yarn-common High Product gradle artifactid hadoop-yarn-common Highest Product pom artifactid hadoop-yarn-common Highest Product jar package name apache Highest Product jar package name yarn Highest Product pom parent-artifactid hadoop-yarn Medium Product pom groupid apache.hadoop Highest Product pom parent-groupid org.apache.hadoop Medium Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-yarn-common-2.7.5.jar: jquery-1.8.2.min.js.gz: jquery-1.8.2.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/jquery/jquery-1.8.2.min.js.gz/jquery-1.8.2.min.jsMD5: cfa9051cc0b05eb519f1e16b2a6645d7SHA1: 149b5180cb9de3f646fc26802440a6ac6e758d40SHA256: f23d4b309b72743aa8afe1f8c98a25b3ee31246fa572c66d9d8cb1982cae4fbcReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jquery High Product file name jquery High Version file version 1.8.2.min High
Published Vulnerabilities CVE-2012-6708 suppress
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0 CVE-2015-9251 suppress
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6 cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* CVE-2019-11358 suppress
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0 cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8 cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9 cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11 cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66 cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8 cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 CVE-2020-11022 suppress
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 CVE-2020-11023 suppress
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12 cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4 cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* hadoop-yarn-common-2.7.5.jar: jquery-ui-1.9.1.custom.min.js.gz: jquery-ui-1.9.1.custom.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/jquery/jquery-ui-1.9.1.custom.min.js.gz/jquery-ui-1.9.1.custom.min.jsMD5: ab92e49c769e9593ff52cbdb48a9dd03SHA1: 43751816cc0b6480e8fb3b2398952d6a865e8b89SHA256: 1fb0b66548624c8cf9ebf2d0c81970910ab0c8031a8ada6f8e6f884114344e8dReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jquery-ui-dialog High Product file name jquery-ui-dialog High Version file version 1.9.1 High
Published Vulnerabilities CVE-2010-5312 suppress
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.10.0 CVE-2016-7103 suppress
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 16.0; versions up to (including) 16.2 cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 18.0; versions up to (including) 18.8.4 cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions from (including) 1.10.0; versions up to (including) 1.11.4 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery_ui:1.10.0:beta1:*:*:*:*:*:* cpe:2.3:a:jquery:jquery_ui:1.10.0:rc1:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.0; versions up to (including) 17.12.4 cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* hadoop-yarn-common-2.7.5.jar: jquery.dataTables.min.js.gz: jquery.dataTables.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/dt-1.9.4/js/jquery.dataTables.min.js.gz/jquery.dataTables.min.jsMD5: dd02e31cea8b6f07d665e5a0d0b53f50SHA1: 98c517335f66552467f2372e1cd650f93cbffeafSHA256: 1783d49bec463c334d276a72d3b239f6366f6487c2e77e544838e8c6dcc657d9Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
hadoop-yarn-common-2.7.5.jar: jquery.jstree.js.gz: jquery.jstree.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/jt/jquery.jstree.js.gz/jquery.jstree.jsMD5: 90107823a51eda2bbe77a6b2baac3466SHA1: 89944976806fcac399356f8d698952473f936489SHA256: 9dcb812e3e7f2c38f0c93a37e4aa923ce3a74ab65a97656957ff3fb780baf3d0Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
hadoop-yarn-common-2.7.5.jar: natural.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/dt-sorting/natural.jsMD5: 6119b176fc9ded71d13d2d9e4b166ba9SHA1: 2f5ecc90d7e4a8d6922c345cadf4952be2eb0d6dSHA256: 7abeaadbaef39a5a540701143e8bdc05a82be5030b69eb03373d3b7a84c0225fReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
hadoop-yarn-common-2.7.5.jar: yarn.dt.plugins.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-common/2.7.5/b642449750a8d0a51c4310b19264209e0e5c0fe9/hadoop-yarn-common-2.7.5.jar/webapps/static/yarn.dt.plugins.jsMD5: 92892ffa06992a58682b3df403910d8fSHA1: 6c45673282b91be2d21977d3ffb53797179e4854SHA256: f3b3e49f23c491bbd0d3e15fbd1a7e60315e6cac4c2e8ba7be7ab1c058880ba1Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
hadoop-yarn-server-common-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-server-common/2.7.5/98323db28aff7e0d5b1729450086eb215cdf1ee7/hadoop-yarn-server-common-2.7.5.jarMD5: 65aa76b3b6a5a1d400429a73466c1313SHA1: 98323db28aff7e0d5b1729450086eb215cdf1ee7SHA256: 036afa26ddb37718f5eb2923a4b0f90b50a9a65b9320997870d5272ffa7b3c59Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name hadoop-yarn-server-common High Vendor pom parent-artifactid hadoop-yarn-server Low Vendor jar package name yarn Low Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor pom artifactid hadoop-yarn-server-common Low Vendor pom name hadoop-yarn-server-common High Vendor jar package name apache Highest Vendor jar package name yarn Highest Vendor pom groupid apache.hadoop Highest Vendor jar package name server Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Product gradle artifactid hadoop-yarn-server-common Highest Product file name hadoop-yarn-server-common High Product jar package name yarn Low Product jar package name hadoop Highest Product pom parent-artifactid hadoop-yarn-server Medium Product jar package name server Low Product pom name hadoop-yarn-server-common High Product jar package name apache Highest Product jar package name yarn Highest Product pom artifactid hadoop-yarn-server-common Highest Product pom groupid apache.hadoop Highest Product jar package name server Highest Product pom parent-groupid org.apache.hadoop Medium Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hadoop-yarn-server-nodemanager-2.7.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.hadoop/hadoop-yarn-server-nodemanager/2.7.5/719fff671d727354f70868011da6de37ee537732/hadoop-yarn-server-nodemanager-2.7.5.jarMD5: 8bb068230f552e036c3a13c3b54a4aaeSHA1: 719fff671d727354f70868011da6de37ee537732SHA256: f84fb2d4f20f7d0c8800a150947d6941dd5fd39bf819e58cf57ea37d0b5c7eabReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-artifactid hadoop-yarn-server Low Vendor jar package name yarn Low Vendor file name hadoop-yarn-server-nodemanager High Vendor jar package name hadoop Highest Vendor gradle groupid org.apache.hadoop Highest Vendor jar package name apache Highest Vendor jar package name yarn Highest Vendor pom name hadoop-yarn-server-nodemanager High Vendor pom artifactid hadoop-yarn-server-nodemanager Low Vendor pom groupid apache.hadoop Highest Vendor jar package name server Highest Vendor jar package name apache Low Vendor pom parent-groupid org.apache.hadoop Medium Vendor jar package name hadoop Low Product jar package name yarn Low Product file name hadoop-yarn-server-nodemanager High Product jar package name hadoop Highest Product pom parent-artifactid hadoop-yarn-server Medium Product gradle artifactid hadoop-yarn-server-nodemanager Highest Product jar package name server Low Product pom artifactid hadoop-yarn-server-nodemanager Highest Product jar package name apache Highest Product jar package name yarn Highest Product pom name hadoop-yarn-server-nodemanager High Product pom groupid apache.hadoop Highest Product jar package name server Highest Product pom parent-groupid org.apache.hadoop Medium Product jar package name hadoop Low Version file version 2.7.5 High Version gradle version 2.7.5 Highest Version pom version 2.7.5 Highest
Published Vulnerabilities CVE-2017-15713 suppress
Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (4.0) Vector: /AV:N/AC:L/Au:S/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
MLIST - [general] 20180119 CVE-2017-15713: Apache Hadoop MapReduce job history server vulnerability OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... OSSINDEX - [CVE-2017-15713] Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and... Vulnerable Software & Versions: (show all )
CVE-2018-11766 suppress
In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 106035 MISC - https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2018-11766] Permissions, Privileges, and Access Controls Vulnerable Software & Versions:
CVE-2018-11767 suppress
In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:P CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11768 suppress
In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
MISC - https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-general] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191004 Re:CVE-2018-11768: HDFS FSImage Corruption MLIST - [hadoop-hdfs-dev] 20191006 Re: CVE-2018-11768: HDFS FSImage Corruption MLIST - [lucene-dev] 20191029 CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191029 Re: CVE-2018-11768 in regards to Solr MLIST - [lucene-dev] 20191031 RE: CVE-2018-11768 in regards to Solr OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... OSSINDEX - [CVE-2018-11768] In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.... Vulnerable Software & Versions: (show all )
CVE-2018-1296 suppress
In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-8009 suppress
Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8029 suppress
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:S/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
BID - 108518 CONFIRM - https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E CONFIRM - https://security.netapp.com/advisory/ntap-20190617-0001/ MLIST - [druid-commits] 20201008 [druid] branch 0.20.0 updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) (#10492) MLIST - [druid-commits] 20201008 [druid] branch master updated: Suppress CVE-2018-11765 for hadoop dependencies (#10485) MLIST - [hbase-dev] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190530 [jira] [Commented] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 MLIST - [hbase-issues] 20190603 [jira] [Resolved] (HBASE-22499) Drop the support for several hadoop releases due to CVE-2018-8029 OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... OSSINDEX - [CVE-2018-8029] In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.... Vulnerable Software & Versions: (show all )
CVE-2020-9492 suppress
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. CWE-269 Improper Privilege Management
CVSSv2:
Base Score: MEDIUM (6.5) Vector: /AV:N/AC:L/Au:S/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210304-0001/ MISC - https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E MLIST - [announce] 20210125 [CVE-2020-9492] Apache Hadoop Potential privilege escalation MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210203 [GitHub] [druid] jihoonson opened a new pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [druid-commits] 20210225 [GitHub] [druid] liangrui1988 commented on pull request #10847: Suppress CVE-2020-9492 for hadoop-mapreduce-client-core MLIST - [solr-issues] 20210419 [jira] [Created] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 MLIST - [solr-issues] 20210419 [jira] [Updated] (SOLR-15355) CVE-2020-9492: Upgrade hadoop-hdfs-client to 3.2.2 OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... OSSINDEX - [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... Vulnerable Software & Versions: (show all )
hamcrest-2.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hamcrest/hamcrest/2.1/9420ba32c29217b54eebd26ff7f9234d31c3fbb2/hamcrest-2.1.jarMD5: a139bcc7cb0c2eff7e9f9733a58d5bddSHA1: 9420ba32c29217b54eebd26ff7f9234d31c3fbb2SHA256: ba93b2e3a562322ba432f0a1b53addcc55cb188253319a020ed77f824e692050Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.hamcrest Highest Vendor jar package name hamcrest Low Vendor Manifest bundle-symbolicname org.hamcrest Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest Implementation-Vendor hamcrest.org High Vendor jar package name hamcrest Highest Vendor file name hamcrest High Vendor Manifest automatic-module-name org.hamcrest Medium Product Manifest Implementation-Title hamcrest High Product Manifest bundle-symbolicname org.hamcrest Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product jar package name hamcrest Highest Product file name hamcrest High Product gradle artifactid hamcrest Highest Product Manifest automatic-module-name org.hamcrest Medium Product Manifest Bundle-Name hamcrest Medium Version Manifest Implementation-Version 2.1 High Version file version 2.1 High
hamcrest-core-2.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hamcrest/hamcrest-core/2.1/70dd49dea4507315b1fa3bc1aa59b1442d55957a/hamcrest-core-2.1.jarMD5: c0e187c67e3a7910d5d54894964cc195SHA1: 70dd49dea4507315b1fa3bc1aa59b1442d55957aSHA256: e09109e54a289d88506b9bfec987ddd199f4217c9464132668351b9a4f00bee9Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.hamcrest Highest Vendor jar package name hamcrest Low Vendor Manifest Implementation-Vendor hamcrest.org High Vendor jar package name hamcrest Highest Vendor file name hamcrest-core High Vendor Manifest automatic-module-name org.hamcrest Medium Product Manifest Implementation-Title hamcrest-core High Product jar package name hamcrestcoreisdeprecated Low Product jar package name hamcrest Highest Product file name hamcrest-core High Product Manifest automatic-module-name org.hamcrest Medium Product gradle artifactid hamcrest-core Highest Version Manifest Implementation-Version 2.1 High Version file version 2.1 High
hk2-api-2.4.0-b34.jarDescription:
${project.name} License:
https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-api/2.4.0-b34/1017432e219dbd1d4a1121b2d7e87c5b2f0bcfb9/hk2-api-2.4.0-b34.jar
MD5: 2972849752ed511bd069812ba2b29d2d
SHA1: 1017432e219dbd1d4a1121b2d7e87c5b2f0bcfb9
SHA256: 6eb071aaea327015ac3da18d5066c364c1a39978f4b6f94644158675ca5b9ced
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor pom parent-groupid org.glassfish.hk2 Medium Vendor jar package name glassfish Highest Vendor pom groupid glassfish.hk2 Highest Vendor Manifest bundle-symbolicname org.glassfish.hk2.api Medium Vendor pom name HK2 API module High Vendor jar package name hk2 Highest Vendor gradle groupid org.glassfish.hk2 Highest Vendor pom artifactid hk2-api Low Vendor file name hk2-api High Vendor jar package name api Highest Vendor pom parent-artifactid hk2-parent Low Product Manifest bundle-docurl http://www.oracle.com Low Product pom parent-groupid org.glassfish.hk2 Medium Product jar package name glassfish Highest Product pom groupid glassfish.hk2 Highest Product pom parent-artifactid hk2-parent Medium Product Manifest bundle-symbolicname org.glassfish.hk2.api Medium Product pom name HK2 API module High Product jar package name hk2 Highest Product Manifest Bundle-Name HK2 API module Medium Product file name hk2-api High Product jar package name api Highest Product gradle artifactid hk2-api Highest Product pom artifactid hk2-api Highest Version gradle version 2.4.0-b34 Highest Version pom version 2.4.0-b34 Highest
hk2-locator-2.4.0-b34.jarDescription:
${project.name} License:
https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-locator/2.4.0-b34/1451fc3e5b7f00d7a5ca0feaff2c1bf68be5ac91/hk2-locator-2.4.0-b34.jar
MD5: 09eda1a8dd33d465ec7bac9536f3eaf7
SHA1: 1451fc3e5b7f00d7a5ca0feaff2c1bf68be5ac91
SHA256: ea47ebf7ed56ef751055710cfad36840bcc36383cf387c4a963b41447c066f8f
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor pom name ServiceLocator Default Implementation High Vendor jar package name hk2 Highest Vendor gradle groupid org.glassfish.hk2 Highest Vendor pom parent-groupid org.glassfish.hk2 Medium Vendor file name hk2-locator High Vendor Manifest bundle-symbolicname org.glassfish.hk2.locator Medium Vendor pom parent-artifactid hk2-parent Low Vendor pom groupid glassfish.hk2 Highest Vendor pom artifactid hk2-locator Low Product Manifest bundle-docurl http://www.oracle.com Low Product pom name ServiceLocator Default Implementation High Product jar package name hk2 Highest Product pom artifactid hk2-locator Highest Product Manifest Bundle-Name ServiceLocator Default Implementation Medium Product pom parent-groupid org.glassfish.hk2 Medium Product gradle artifactid hk2-locator Highest Product file name hk2-locator High Product Manifest bundle-symbolicname org.glassfish.hk2.locator Medium Product pom groupid glassfish.hk2 Highest Product pom parent-artifactid hk2-parent Medium Version gradle version 2.4.0-b34 Highest Version pom version 2.4.0-b34 Highest
hk2-utils-2.4.0-b34.jarDescription:
${project.name} License:
https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-utils/2.4.0-b34/aacce18411fffef9621d8fc91464ca0477119c38/hk2-utils-2.4.0-b34.jar
MD5: f0c9e9df24ad2c2feb1f950b82146245
SHA1: aacce18411fffef9621d8fc91464ca0477119c38
SHA256: 70211b1f918819bf6afbf69d3d19d4ae6e2a75d6e26f6c39ba9f20eb8e5612d7
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest service foo Low Vendor pom parent-groupid org.glassfish.hk2 Medium Vendor jar package name utilities Highest Vendor jar package name glassfish Highest Vendor pom groupid glassfish.hk2 Highest Vendor pom name HK2 Implementation Utilities High Vendor file name hk2-utils High Vendor Manifest bundle-symbolicname org.glassfish.hk2.utils Medium Vendor jar package name hk2 Highest Vendor gradle groupid org.glassfish.hk2 Highest Vendor Manifest originally-created-by Apache Maven Low Vendor pom parent-artifactid hk2-parent Low Vendor pom artifactid hk2-utils Low Product Manifest bundle-docurl http://www.oracle.com Low Product pom artifactid hk2-utils Highest Product Manifest service foo Low Product pom parent-groupid org.glassfish.hk2 Medium Product jar package name utilities Highest Product jar package name glassfish Highest Product pom groupid glassfish.hk2 Highest Product pom parent-artifactid hk2-parent Medium Product pom name HK2 Implementation Utilities High Product file name hk2-utils High Product gradle artifactid hk2-utils Highest Product Manifest bundle-symbolicname org.glassfish.hk2.utils Medium Product jar package name hk2 Highest Product Manifest originally-created-by Apache Maven Low Product Manifest Bundle-Name HK2 Implementation Utilities Medium Version gradle version 2.4.0-b34 Highest Version pom version 2.4.0-b34 Highest
hk2-utils-2.4.0-b34.jar (shaded: org.jvnet:tiger-types:1.4)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/hk2-utils/2.4.0-b34/aacce18411fffef9621d8fc91464ca0477119c38/hk2-utils-2.4.0-b34.jar/META-INF/maven/org.jvnet/tiger-types/pom.xmlMD5: 51329dba505e7cc4a9bc2719cf195be0SHA1: 5855a7ee03b816073c2b448bce93319bd71f7029SHA256: 58794aca99cadb3aab687b56fd6d84871956590323dd0ea5d611db759e78c6b9Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom groupid jvnet Highest Vendor pom parent-artifactid jvnet-parent Low Vendor pom parent-groupid net.java Medium Vendor pom artifactid tiger-types Low Vendor pom name Type arithmetic library for Java5 High Product pom groupid jvnet Highest Product pom artifactid tiger-types Highest Product pom parent-groupid net.java Medium Product pom name Type arithmetic library for Java5 High Product pom parent-artifactid jvnet-parent Medium Version pom version 1.4 Highest Version pom parent-version 1.4 Low
hsqldb-1.8.0.10.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/hsqldb/hsqldb/1.8.0.10/7e9978fdb754bce5fcd5161133e7734ecb683036/hsqldb-1.8.0.10.jarMD5: 7df83e09e41d742cc5fb20d16b80729cSHA1: 7e9978fdb754bce5fcd5161133e7734ecb683036SHA256: b04b3b3ac295d497c87230eeb4f888327a5a15b9c3c1567db202a51d83ac9e41Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor file name hsqldb High Vendor gradle groupid hsqldb Highest Vendor jar package name hsqldb Low Vendor Manifest specification-vendor The HSQLDB Development Group Low Vendor Manifest Implementation-Vendor ft High Product file name hsqldb High Product gradle artifactid hsqldb Highest Product Manifest specification-title HSQLDB Medium Product Manifest Implementation-Title Standard runtime High Product jar package name hsqldb Highest Version gradle version 1.8.0.10 Highest Version file version 1.8.0.10 High Version file name hsqldb Medium Version Manifest Implementation-Version private-2008/06/01-10:22:29 High
hsqldb-2.4.1.jarDescription:
HyperSQL Lightweight 100% Java SQL Database Engine File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.hsqldb/hsqldb/2.4.1/9daff99b4fbd6809fd46ab4327650ad00a1be6d4/hsqldb-2.4.1.jarMD5: 4fecc773be5e64721615213d314e8de3SHA1: 9daff99b4fbd6809fd46ab4327650ad00a1be6d4SHA256: 417294fff9d6b6a4f7ee522982ed2693cdda28d131da0d9e4f048a57d6e1cdb2Referenced In Projects/Scopes:
calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name hsqldb High Vendor Manifest build-vendor blaine Medium Vendor gradle groupid org.hsqldb Highest Vendor jar package name hsqldb Low Vendor Manifest specification-vendor The HSQL Development Group Low Vendor Manifest Implementation-Vendor The HSQL Development Group High Vendor Manifest bundle-symbolicname org.hsqldb.hsqldb Medium Vendor Manifest originally-created-by 1.8.0_172-b11 (Oracle Corporation) Low Vendor jar package name hsqldb Highest Product file name hsqldb High Product gradle artifactid hsqldb Highest Product jar package name database Highest Product jar package name java Highest Product Manifest specification-title HSQLDB Medium Product Manifest Implementation-Title Standard runtime High Product Manifest Bundle-Name HSQLDB Medium Product Manifest bundle-symbolicname org.hsqldb.hsqldb Medium Product Manifest originally-created-by 1.8.0_172-b11 (Oracle Corporation) Low Product jar package name hsqldb Highest Version Manifest Implementation-Version 2.4.1 High Version file version 2.4.1 High
htrace-core-3.1.0-incubating.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jarMD5: c49a4662d691a09eed10e0a35dd73299SHA1: f73606e7c9ede5802335c290bf47490ad6d51df3SHA256: d96c869afaf65315ece8ca09673b187557e9dbaad31df24467a5aa759812188dReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.htrace Medium Vendor pom parent-artifactid htrace Low Vendor pom name htrace-core High Vendor jar package name htrace Highest Vendor gradle groupid org.apache.htrace Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom groupid apache.htrace Highest Vendor pom artifactid htrace-core Low Vendor pom parent-groupid org.apache.htrace Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://incubator.apache.org/projects/htrace.html Highest Vendor jar package name apache Highest Vendor file name htrace-core High Product pom name htrace-core High Product jar package name htrace Highest Product pom groupid apache.htrace Highest Product pom parent-groupid org.apache.htrace Medium Product pom parent-artifactid htrace Medium Product jar package name apache Highest Product pom url http://incubator.apache.org/projects/htrace.html Medium Product file name htrace-core High Product Manifest Implementation-Title htrace-core High Product pom artifactid htrace-core Highest Product Manifest specification-title htrace-core Medium Product gradle artifactid htrace-core Highest Version gradle version 3.1.0-incubating Highest Version Manifest Implementation-Version 3.1.0-incubating High Version pom version 3.1.0-incubating Highest
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0)Description:
Core annotations used for value types, used by Jackson data binding package.
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-annotations/pom.xmlMD5: 556310b593b9688b85686409e0bd5377SHA1: 2b75fa41636e5d02edc961ee9c68e6f041dc85a9SHA256: 63e2e01157c8964913ef8bb0e69cec0d363d31129089206f7fb07ee5438359c0Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom groupid fasterxml.jackson.core Highest Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom artifactid jackson-annotations Low Vendor pom parent-artifactid jackson-parent Low Vendor pom url http://wiki.fasterxml.com/JacksonHome Highest Vendor pom name Jackson-annotations High Product hint analyzer product modules Highest Product pom parent-artifactid jackson-parent Medium Product pom groupid fasterxml.jackson.core Highest Product pom parent-groupid com.fasterxml.jackson Medium Product pom url http://wiki.fasterxml.com/JacksonHome Medium Product hint analyzer product java8 Highest Product pom name Jackson-annotations High Product pom artifactid jackson-annotations Highest Version pom version 2.4.0 Highest Version pom parent-version 2.4.0 Low
Published Vulnerabilities CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)Description:
Core Jackson abstractions, basic JSON streaming API implementation
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xmlMD5: b5ed6cb7f987a4da86141638b1538d81SHA1: ed8235ea6d84480833675e709b415bde24ce25f7SHA256: 8310978da8c7013ecaaba13c9b41b75ab3a09797ae4b946ae5e1614088f995d7Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom groupid fasterxml.jackson.core Highest Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom parent-artifactid jackson-parent Low Vendor pom url http://wiki.fasterxml.com/JacksonHome Highest Vendor pom artifactid jackson-core Low Vendor pom name Jackson-core High Product hint analyzer product modules Highest Product pom parent-artifactid jackson-parent Medium Product pom groupid fasterxml.jackson.core Highest Product pom parent-groupid com.fasterxml.jackson Medium Product pom artifactid jackson-core Highest Product pom url http://wiki.fasterxml.com/JacksonHome Medium Product hint analyzer product java8 Highest Product pom name Jackson-core High Version pom version 2.4.0 Highest Version pom parent-version 2.4.0 Low
Published Vulnerabilities CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
htrace-core-3.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)Description:
General data-binding functionality for Jackson: works on core streaming API File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.htrace/htrace-core/3.1.0-incubating/f73606e7c9ede5802335c290bf47490ad6d51df3/htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xmlMD5: d3f7afe903419aa0c03f9cf8682e1a69SHA1: 3c0d06b6c0a9f4135fcf5c5557c751c0cd066c0cSHA256: 083be927bdddaf1e992d0e9f0fff509b60f35deea307216d8ba773f065a6f30cReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid jackson-databind Low Vendor pom groupid fasterxml.jackson.core Highest Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom parent-artifactid jackson-parent Low Vendor pom name jackson-databind High Vendor pom url http://wiki.fasterxml.com/JacksonHome Highest Product hint analyzer product modules Highest Product pom parent-artifactid jackson-parent Medium Product pom groupid fasterxml.jackson.core Highest Product pom parent-groupid com.fasterxml.jackson Medium Product pom artifactid jackson-databind Highest Product pom url http://wiki.fasterxml.com/JacksonHome Medium Product pom name jackson-databind High Product hint analyzer product java8 Highest Version pom version 2.4.0 Highest Version pom parent-version 2.4.0 Low
Published Vulnerabilities CVE-2017-15095 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2017-17485 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2017-7525 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2018-1000873 suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-11307 (OSSINDEX) suppress
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2018-14718 (OSSINDEX) suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2018-5968 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2018-7489 suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-14540 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2019-14893 (OSSINDEX) suppress
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2019-16335 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2019-16942 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2019-16943 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2019-17267 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2019-17531 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2019-20330 (OSSINDEX) suppress
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* CVE-2020-35490 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-35491 suppress
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (OSSINDEX) suppress
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv3:
Base Score: MEDIUM (5.4) Vector: CVSS:/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:com.fasterxml.jackson.core:jackson-databind:2.4.0:*:*:*:*:*:*:* httpasyncclient-4.1.4.jarDescription:
Apache HttpComponents AsyncClient
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpasyncclient/4.1.4/f3a3240681faae3fa46b573a4c7e50cec9db0d86/httpasyncclient-4.1.4.jarMD5: f29a16f1c28f5b3dd511cbd16d7fa422SHA1: f3a3240681faae3fa46b573a4c7e50cec9db0d86SHA256: 50e981a8e567a16ebdad104605b156540a863459fa127b8ba647f310dfc83ef8Referenced In Projects/Scopes:
elasticsearch:compileClasspath calcite:sqllineClasspath elasticsearch:runtimeClasspath elasticsearch:default Evidence Type Source Name Value Confidence Vendor file name httpasyncclient High Vendor pom name Apache HttpAsyncClient High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom parent-artifactid httpcomponents-asyncclient Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://hc.apache.org/httpcomponents-asyncclient Highest Vendor pom groupid apache.httpcomponents Highest Vendor jar package name apache Highest Vendor Manifest Implementation-Vendor-Id org.apache.httpcomponents Medium Vendor gradle groupid org.apache.httpcomponents Highest Vendor pom parent-groupid org.apache.httpcomponents Medium Vendor pom artifactid httpasyncclient Low Vendor Manifest automatic-module-name org.apache.httpcomponents.httpasyncclient Medium Product file name httpasyncclient High Product pom parent-artifactid httpcomponents-asyncclient Medium Product pom url http://hc.apache.org/httpcomponents-asyncclient Medium Product pom name Apache HttpAsyncClient High Product pom artifactid httpasyncclient Highest Product gradle artifactid httpasyncclient Highest Product pom groupid apache.httpcomponents Highest Product jar package name apache Highest Product pom parent-groupid org.apache.httpcomponents Medium Product Manifest Implementation-Title Apache HttpAsyncClient High Product Manifest automatic-module-name org.apache.httpcomponents.httpasyncclient Medium Product Manifest specification-title Apache HttpAsyncClient Medium Version pom version 4.1.4 Highest Version gradle version 4.1.4 Highest Version file version 4.1.4 High Version Manifest Implementation-Version 4.1.4 High
httpclient-4.5.9.jarDescription:
Apache HttpComponents Client
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.9/a25c1be5ce99d0ce99aa43eb982868c796dd0775/httpclient-4.5.9.jarMD5: 62fce5f1f44f9df4a68d9a390b8982ebSHA1: a25c1be5ce99d0ce99aa43eb982868c796dd0775SHA256: 6c7e3bb423d8c5574f28157fe42b4c38d6a3477bfa2954cfe5f330b14ecad8a9Referenced In Projects/Scopes:
piglet:compileClasspath babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default spark:compileClasspath redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default linq4j:runtimeClasspath linq4j:default elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default geode:compileClasspath druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor pom url http://hc.apache.org/httpcomponents-client Highest Vendor jar package name client Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom parent-artifactid httpcomponents-client Low Vendor file name httpclient High Vendor pom groupid apache.httpcomponents Highest Vendor jar package name apache Highest Vendor Manifest Implementation-Vendor-Id org.apache.httpcomponents Medium Vendor gradle groupid org.apache.httpcomponents Highest Vendor pom parent-groupid org.apache.httpcomponents Medium Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-client Low Vendor jar package name httpclient Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpclient Medium Vendor pom artifactid httpclient Low Vendor pom name Apache HttpClient High Product Manifest Implementation-Title Apache HttpClient High Product pom url http://hc.apache.org/httpcomponents-client Medium Product Manifest specification-title Apache HttpClient Medium Product jar package name client Highest Product pom artifactid httpclient Highest Product file name httpclient High Product gradle artifactid httpclient Highest Product pom groupid apache.httpcomponents Highest Product jar package name apache Highest Product pom parent-groupid org.apache.httpcomponents Medium Product pom parent-artifactid httpcomponents-client Medium Product Manifest implementation-url http://hc.apache.org/httpcomponents-client Low Product jar package name http Highest Product jar package name httpclient Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpclient Medium Product pom name Apache HttpClient High Version Manifest Implementation-Version 4.5.9 High Version pom version 4.5.9 Highest Version gradle version 4.5.9 Highest Version file version 4.5.9 High
Published Vulnerabilities CVE-2020-13956 suppress
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References:
Vulnerable Software & Versions: (show all )
httpcore-4.4.11.jarDescription:
Apache HttpComponents Core (blocking I/O)
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.11/de748cf874e4e193b42eceea9fe5574fabb9d4df/httpcore-4.4.11.jarMD5: 9299550b06219959d0f2223b1a8bb337SHA1: de748cf874e4e193b42eceea9fe5574fabb9d4dfSHA256: d799522d579aac06b170603f8f080f6e3248dadc01f9652cdd7ea7bc318c21ceReferenced In Projects/Scopes:
piglet:compileClasspath babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default spark:compileClasspath redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default linq4j:runtimeClasspath linq4j:default elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default geode:compileClasspath druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor pom parent-artifactid httpcomponents-core Low Vendor pom url http://hc.apache.org/httpcomponents-core-ga Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpcore Medium Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name httpcore High Vendor pom artifactid httpcore Low Vendor pom groupid apache.httpcomponents Highest Vendor jar package name apache Highest Vendor gradle groupid org.apache.httpcomponents Highest Vendor Manifest implementation-build ${scmBranch}@r${buildNumber}; 2019-01-15 10:23:31+0000 Low Vendor pom parent-groupid org.apache.httpcomponents Medium Vendor Manifest url http://hc.apache.org/httpcomponents-core-ga Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor pom name Apache HttpCore High Product pom artifactid httpcore Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpcore Medium Product Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Product Manifest Implementation-Title HttpComponents Apache HttpCore High Product Manifest specification-title HttpComponents Apache HttpCore Medium Product file name httpcore High Product pom url http://hc.apache.org/httpcomponents-core-ga Medium Product pom groupid apache.httpcomponents Highest Product jar package name apache Highest Product Manifest implementation-build ${scmBranch}@r${buildNumber}; 2019-01-15 10:23:31+0000 Low Product gradle artifactid httpcore Highest Product pom parent-groupid org.apache.httpcomponents Medium Product pom parent-artifactid httpcomponents-core Medium Product jar package name http Highest Product Manifest url http://hc.apache.org/httpcomponents-core-ga Low Product pom name Apache HttpCore High Version pom version 4.4.11 Highest Version file version 4.4.11 High Version Manifest Implementation-Version 4.4.11 High Version gradle version 4.4.11 Highest
httpcore-nio-4.4.11.jarDescription:
Apache HttpComponents Core (non-blocking I/O)
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore-nio/4.4.11/7d0a97d01d39cff9aa3e6db81f21fddb2435f4e6/httpcore-nio-4.4.11.jarMD5: 2fcc3dad75151d9891ba8e4a889ab24aSHA1: 7d0a97d01d39cff9aa3e6db81f21fddb2435f4e6SHA256: 112b4e76323f8f69d704d250d7f233a1bd15eb7631a83e80ebbd25de684e4272Referenced In Projects/Scopes:
elasticsearch:compileClasspath calcite:sqllineClasspath elasticsearch:runtimeClasspath elasticsearch:default Evidence Type Source Name Value Confidence Vendor pom name Apache HttpCore NIO High Vendor pom parent-artifactid httpcomponents-core Low Vendor pom url http://hc.apache.org/httpcomponents-core-ga Highest Vendor Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom artifactid httpcore-nio Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name httpcore-nio High Vendor pom groupid apache.httpcomponents Highest Vendor jar package name apache Highest Vendor Manifest Implementation-Vendor-Id org.apache.httpcomponents Medium Vendor gradle groupid org.apache.httpcomponents Highest Vendor Manifest automatic-module-name org.apache.httpcomponents.httpcore.nio Medium Vendor pom parent-groupid org.apache.httpcomponents Medium Vendor jar package name nio Highest Product pom name Apache HttpCore NIO High Product Manifest implementation-url http://hc.apache.org/httpcomponents-core-ga Low Product pom url http://hc.apache.org/httpcomponents-core-ga Medium Product file name httpcore-nio High Product Manifest Implementation-Title Apache HttpCore NIO High Product pom groupid apache.httpcomponents Highest Product jar package name apache Highest Product Manifest automatic-module-name org.apache.httpcomponents.httpcore.nio Medium Product Manifest specification-title Apache HttpCore NIO Medium Product pom parent-groupid org.apache.httpcomponents Medium Product jar package name nio Highest Product pom parent-artifactid httpcomponents-core Medium Product jar package name http Highest Product pom artifactid httpcore-nio Highest Product gradle artifactid httpcore-nio Highest Version pom version 4.4.11 Highest Version file version 4.4.11 High Version Manifest Implementation-Version 4.4.11 High Version gradle version 4.4.11 Highest
ical4j-1.0.2.jarDescription:
A Java library for reading and writing iCalendar (*.ics) files
License:
iCal4j - License: LICENSE File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mnode.ical4j/ical4j/1.0.2/3690b6d480ed15b64be7a687dd4f2869075c555/ical4j-1.0.2.jar
MD5: ed48ee62d9aacbf3f6be0bb0d7ca842c
SHA1: 03690b6d480ed15b64be7a687dd4f2869075c555
SHA256: 40b6b85c2b3862d755199373d96c103a0fc2a0bbf9a136e3f26233711d463add
Referenced In Projects/Scopes: file:compileClasspath file:runtimeClasspath calcite:sqllineClasspath csv:runtimeClasspath file:default csv:default Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname org.mnode.ical4j Medium Vendor pom artifactid ical4j Low Vendor gradle groupid org.mnode.ical4j Highest Vendor pom groupid mnode.ical4j Highest Vendor jar package name ical4j Highest Vendor pom parent-artifactid mnode-parent Low Vendor Manifest bundle-docurl http://micronode.com Low Vendor file name ical4j High Vendor pom name ical4j High Vendor pom parent-groupid org.mnode Medium Vendor pom url http://ical4j.sourceforge.net Highest Product pom groupid mnode.ical4j Highest Product file name ical4j High Product gradle artifactid ical4j Highest Product pom parent-artifactid mnode-parent Medium Product pom name ical4j High Product pom artifactid ical4j Highest Product Manifest bundle-symbolicname org.mnode.ical4j Medium Product pom url http://ical4j.sourceforge.net Medium Product jar package name ical4j Highest Product Manifest bundle-docurl http://micronode.com Low Product Manifest Bundle-Name ical4j Medium Product pom parent-groupid org.mnode Medium Version file version 1.0.2 High Version pom parent-version 1.0.2 Low Version Manifest Bundle-Version 1.0.2 High Version gradle version 1.0.2 Highest Version pom version 1.0.2 Highest
imageinfo-1.9.jarDescription:
A free Java class to retrieve properties from image files License:
Public Domain File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.devlib.schmidt/imageinfo/1.9/e9ff2b7c4bc9f3b14a20bed7d08c89f9a4797fd0/imageinfo-1.9.jar
MD5: 4e6047aeeb6c6c2f5040e669ce026190
SHA1: e9ff2b7c4bc9f3b14a20bed7d08c89f9a4797fd0
SHA256: 60a9c9e492280a4806dd13dfa9593bb6273188fc89c0076cab8a2b7ff80d525b
Referenced In Projects/Scopes: babel:fmppClaspath server:fmppClaspath core:fmppClaspath Evidence Type Source Name Value Confidence Vendor pom url http://schmidt.devlib.org/image-info/ Highest Vendor jar package name devlib Highest Vendor file name imageinfo High Vendor jar package name imageinfo Highest Vendor jar package name schmidt Highest Vendor jar package name devlib Low Vendor jar package name imageinfo Low Vendor pom groupid devlib.schmidt Highest Vendor gradle groupid org.devlib.schmidt Highest Vendor pom artifactid imageinfo Low Vendor pom name ImageInfo High Vendor jar package name schmidt Low Product pom url http://schmidt.devlib.org/image-info/ Medium Product pom groupid devlib.schmidt Highest Product jar package name devlib Highest Product pom name ImageInfo High Product file name imageinfo High Product pom artifactid imageinfo Highest Product jar package name imageinfo Highest Product jar package name schmidt Highest Product jar package name imageinfo Low Product gradle artifactid imageinfo Highest Product jar package name schmidt Low Version gradle version 1.9 Highest Version file version 1.9 High Version pom version 1.9 Highest
innodb-java-reader-1.0.10.jarDescription:
innodb-java-reader File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.alibaba.database/innodb-java-reader/1.0.10/4fc85a951fc25b1e17184650edd11f78c8c79469/innodb-java-reader-1.0.10.jarMD5: 91d3b9a9fe1eafa58bceec7b95d403f1SHA1: 4fc85a951fc25b1e17184650edd11f78c8c79469SHA256: d40aff74f4f0deac8423da5fbdeeb020171c3a301130976f764d146025f77033Referenced In Projects/Scopes:
innodb:compileClasspath innodb:runtimeClasspath calcite:sqllineClasspath innodb:default Evidence Type Source Name Value Confidence Vendor pom name innodb-java-reader High Vendor jar package name innodb Low Vendor pom groupid alibaba.database Highest Vendor jar package name java Highest Vendor pom parent-groupid com.alibaba.database Medium Vendor jar package name alibaba Low Vendor jar package name java Low Vendor jar package name reader Highest Vendor file name innodb-java-reader High Vendor jar package name innodb Highest Vendor gradle groupid com.alibaba.database Highest Vendor jar package name alibaba Highest Vendor pom artifactid innodb-java-reader Low Vendor pom parent-artifactid innodb-java-reader-parent Low Product pom parent-artifactid innodb-java-reader-parent Medium Product pom name innodb-java-reader High Product jar package name innodb Low Product pom artifactid innodb-java-reader Highest Product pom groupid alibaba.database Highest Product jar package name reader Low Product jar package name java Highest Product pom parent-groupid com.alibaba.database Medium Product jar package name java Low Product gradle artifactid innodb-java-reader Highest Product jar package name reader Highest Product file name innodb-java-reader High Product jar package name innodb Highest Product jar package name alibaba Highest Version pom version 1.0.10 Highest Version file version 1.0.10 High Version gradle version 1.0.10 Highest
istack-commons-runtime-2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.istack/istack-commons-runtime/2.2/475249c175393a25d953433182edb7c1a0c35dec/istack-commons-runtime-2.2.jarMD5: 57a578385f55cf8d9f720e4af3b5ca90SHA1: 475249c175393a25d953433182edb7c1a0c35decSHA256: 9828ccc9434c7d08a8a4aae61ae0e6ec7c9e70626f45a741cfa88b310dd0fd78Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name sun Highest Vendor pom parent-groupid com.sun.istack Medium Vendor jar (hint) package name oracle Low Vendor gradle groupid com.sun.istack Highest Vendor pom artifactid istack-commons-runtime Low Vendor pom groupid sun.istack Highest Vendor file name istack-commons-runtime High Vendor pom name istack common utility code runtime High Vendor pom parent-artifactid istack-commons Low Vendor jar package name sun Low Vendor jar package name istack Low Vendor jar (hint) package name oracle Highest Vendor jar package name istack Highest Product pom name istack common utility code runtime High Product jar package name sun Highest Product pom parent-groupid com.sun.istack Medium Product gradle artifactid istack-commons-runtime Highest Product jar package name istack Low Product pom artifactid istack-commons-runtime Highest Product pom parent-artifactid istack-commons Medium Product pom groupid sun.istack Highest Product jar package name istack Highest Product file name istack-commons-runtime High Version gradle version 2.2 Highest Version file version 2.2 High Version pom version 2.2 Highest
ivy-2.2.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.2.0/f9d1e83e82fc085093510f7d2e77d81d52bc2081/ivy-2.2.0.jarMD5: 2703395cb677b36bbe04f0e868a10d2bSHA1: f9d1e83e82fc085093510f7d2e77d81d52bc2081SHA256: 9d0a56026680999986ca33d53d12d6f28f7bff5e3c9e6e0c6633a3677ca00f18Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://ant.apache.org/ivy/ Low Vendor jar package name ivy Highest Vendor file name ivy High Vendor Manifest bundle-symbolicname org.apache.ivy Medium Vendor Manifest specification-vendor Apache Software Foundation Low Vendor jar package name apache Highest Vendor gradle groupid org.apache.ivy Highest Vendor Manifest extension-name org.apache.ivy Medium Vendor jar package name apache Low Vendor jar package name ivy Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest bundle-docurl http://ant.apache.org/ivy/ Low Product Manifest specification-title Apache Ivy with Ant tasks Medium Product jar package name ivy Highest Product file name ivy High Product Manifest Implementation-Title org.apache.ivy High Product Manifest bundle-symbolicname org.apache.ivy Medium Product jar package name apache Highest Product gradle artifactid ivy Highest Product Manifest Bundle-Name Ivy Medium Product jar package name ant Highest Product Manifest extension-name org.apache.ivy Medium Product jar package name ivy Low Version file version 2.2.0 High Version Manifest Implementation-Version 2.2.0 High
ivy-2.4.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.ivy/ivy/2.4.0/5abe4c24bbe992a9ac07ca563d5bd3e8d569e9ed/ivy-2.4.0.jarMD5: 8c88b943fcd643d5e592b86179c6fbebSHA1: 5abe4c24bbe992a9ac07ca563d5bd3e8d569e9edSHA256: ce81cb234406b093b5b8de9f6f5b2a50ed0824d6a235891353e8d3e941a53970Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://ant.apache.org/ivy/ Low Vendor jar package name ivy Highest Vendor file name ivy High Vendor Manifest bundle-symbolicname org.apache.ivy Medium Vendor Manifest specification-vendor Apache Software Foundation Low Vendor jar package name apache Highest Vendor gradle groupid org.apache.ivy Highest Vendor Manifest extension-name org.apache.ivy Medium Vendor jar package name apache Low Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor jar package name ivy Low Vendor Manifest Implementation-Vendor-Id org.apache Medium Vendor Manifest Implementation-Vendor Apache Software Foundation High Product Manifest bundle-docurl http://ant.apache.org/ivy/ Low Product Manifest specification-title Apache Ivy with Ant tasks Medium Product jar package name ivy Highest Product file name ivy High Product Manifest Implementation-Title org.apache.ivy High Product Manifest bundle-symbolicname org.apache.ivy Medium Product jar package name apache Highest Product gradle artifactid ivy Highest Product Manifest Bundle-Name Ivy Medium Product jar package name ant Highest Product Manifest extension-name org.apache.ivy Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product jar package name ivy Low Version Manifest Implementation-Version 2.4.0 High Version file version 2.4.0 High
j2objc-annotations-1.3.jarDescription:
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.j2objc/j2objc-annotations/1.3/ba035118bc8bac37d7eff77700720999acd9986d/j2objc-annotations-1.3.jar
MD5: 5fa4ec4ec0c5aa70af8a7d4922df1931
SHA1: ba035118bc8bac37d7eff77700720999acd9986d
SHA256: 21af30c92267bd6122c0e0b4d20cccb6641a37eaf956c6540ec471d584e64a7b
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath splunk:checkstyle calcite:checkstyle piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath function:checkstyle server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:checkstyle druid:compileClasspath plus:compileClasspath csv:checkstyle linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath core:checkstyle function:default file:compileClasspath core:implementationDependenciesMetadata file:checkstyle kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default geode:checkstyle kafka:compileClasspath druid:runtimeClasspath mongodb:checkstyle elasticsearch:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle mongodb:default cassandra:default innodb:checkstyle cassandra:checkstyle piglet:checkstyle bom:checkstyle babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath spark:checkstyle plus:checkstyle core:default function:compileClasspath pig:checkstyle elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath server:checkstyle csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath release:checkstyle file:default server:default kafka:checkstyle ubenchmark:checkstyle ubenchmark:jmhCompileClasspath example:checkstyle pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name google Highest Vendor jar package name j2objc Low Vendor jar package name annotations Low Vendor pom groupid google.j2objc Highest Vendor jar package name google Low Vendor pom artifactid j2objc-annotations Low Vendor jar package name annotations Highest Vendor gradle groupid com.google.j2objc Highest Vendor file name j2objc-annotations High Vendor pom url google/j2objc/ Highest Vendor jar package name j2objc Highest Vendor pom name J2ObjC Annotations High Product jar package name google Highest Product pom groupid google.j2objc Highest Product jar package name annotations Highest Product jar package name j2objc Low Product gradle artifactid j2objc-annotations Highest Product file name j2objc-annotations High Product pom url google/j2objc/ High Product jar package name j2objc Highest Product pom name J2ObjC Annotations High Product pom artifactid j2objc-annotations Highest Product jar package name annotations Low Version pom version 1.3 Highest Version gradle version 1.3 Highest Version file version 1.3 High
jackson-annotations-2.10.0.jarDescription:
Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-annotations/2.10.0/e01cfd93b80d6773b3f757c78e756c9755b47b81/jackson-annotations-2.10.0.jar
MD5: 138ada7579397b2a88e41b132b0b46a3
SHA1: e01cfd93b80d6773b3f757c78e756c9755b47b81
SHA256: 77a0846219774a8269bc1b38cc00294908d34e77f8a9da34d97673982f75853d
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest implementation-build-date 2019-09-27 02:15:57+0000 Low Vendor pom groupid fasterxml.jackson.core Highest Vendor Manifest specification-vendor FasterXML Low Vendor file name jackson-annotations High Vendor pom parent-artifactid jackson-parent Low Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor jar package name jackson Highest Vendor jar package name fasterxml Highest Vendor pom url http://github.com/FasterXML/jackson Highest Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom artifactid jackson-annotations Low Vendor gradle groupid com.fasterxml.jackson.core Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson Low Vendor Manifest Implementation-Vendor FasterXML High Vendor pom name Jackson-annotations High Product Manifest specification-title Jackson-annotations Medium Product hint analyzer product modules Highest Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-annotations Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest implementation-build-date 2019-09-27 02:15:57+0000 Low Product Manifest Implementation-Title Jackson-annotations High Product pom groupid fasterxml.jackson.core Highest Product file name jackson-annotations High Product hint analyzer product java8 Highest Product jar package name jackson Highest Product Manifest Bundle-Name Jackson-annotations Medium Product jar package name fasterxml Highest Product pom url http://github.com/FasterXML/jackson Medium Product pom parent-artifactid jackson-parent Medium Product pom parent-groupid com.fasterxml.jackson Medium Product Manifest bundle-docurl http://github.com/FasterXML/jackson Low Product pom name Jackson-annotations High Product gradle artifactid jackson-annotations Highest Product pom artifactid jackson-annotations Highest Version pom parent-version 2.10.0 Low Version pom version 2.10.0 Highest Version Manifest Bundle-Version 2.10.0 High Version gradle version 2.10.0 Highest Version file version 2.10.0 High Version Manifest Implementation-Version 2.10.0 High
jackson-core-2.10.0.jarDescription:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.10.0/4e2c5fa04648ec9772c63e2101c53af6504e624e/jackson-core-2.10.0.jar
MD5: b109d8d9d0519111d5756389fa5bfd87
SHA1: 4e2c5fa04648ec9772c63e2101c53af6504e624e
SHA256: 69e7695b1e40834fa1242fc328a4010607911ced3706ab79abc769d451197513
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom groupid fasterxml.jackson.core Highest Vendor Manifest implementation-build-date 2019-09-26 02:58:28+0000 Low Vendor Manifest specification-vendor FasterXML Low Vendor pom url FasterXML/jackson-core Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor jar package name jackson Highest Vendor jar package name fasterxml Highest Vendor pom name Jackson-core High Vendor jar package name core Highest Vendor jar package name base Highest Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom parent-artifactid jackson-base Low Vendor gradle groupid com.fasterxml.jackson.core Highest Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Vendor file name jackson-core High Vendor Manifest Implementation-Vendor FasterXML High Vendor jar package name json Highest Vendor pom artifactid jackson-core Low Product hint analyzer product modules Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom parent-artifactid jackson-base Medium Product Manifest implementation-build-date 2019-09-26 02:58:28+0000 Low Product Manifest bundle-docurl https://github.com/FasterXML/jackson-core Low Product jar package name jackson Highest Product Manifest Bundle-Name Jackson-core Medium Product jar package name version Highest Product pom artifactid jackson-core Highest Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-core Medium Product Manifest specification-title Jackson-core Medium Product pom url FasterXML/jackson-core High Product Manifest Implementation-Title Jackson-core High Product pom groupid fasterxml.jackson.core Highest Product hint analyzer product java8 Highest Product gradle artifactid jackson-core Highest Product jar package name fasterxml Highest Product pom name Jackson-core High Product jar package name core Highest Product jar package name base Highest Product pom parent-groupid com.fasterxml.jackson Medium Product file name jackson-core High Product jar package name filter Highest Product jar package name json Highest Version pom version 2.10.0 Highest Version Manifest Bundle-Version 2.10.0 High Version gradle version 2.10.0 Highest Version file version 2.10.0 High Version Manifest Implementation-Version 2.10.0 High
jackson-core-asl-1.8.8.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-core-asl/1.8.8/dd2e90bb710ea3bc4610e24299d6a4c8dac5049b/jackson-core-asl-1.8.8.jar
MD5: a65a9709da8186ed9a1c739355414460
SHA1: dd2e90bb710ea3bc4610e24299d6a4c8dac5049b
SHA256: 96b394f135bf396679681aca6716d8bea14a97cf306d3738a053c43d07a1308b
Referenced In Projects/Scopes: pig:runtimeClasspath pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor Manifest bundle-symbolicname jackson-core-asl Medium Vendor Manifest specification-vendor http://www.ietf.org/rfc/rfc4627.txt Low Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor file name jackson-core-asl High Vendor jar package name codehaus Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest specification-title JSON - JavaScript Object Notation Medium Product Manifest bundle-symbolicname jackson-core-asl Medium Product Manifest Bundle-Name Jackson JSON processor Medium Product gradle artifactid jackson-core-asl Highest Product Manifest Implementation-Title Jackson JSON processor High Product jar package name jackson Low Product jar package name jackson Highest Product file name jackson-core-asl High Version Manifest Implementation-Version 1.8.8 High Version file version 1.8.8 High
jackson-core-asl-1.9.11.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-core-asl/1.9.11/e32303ef8bd18a5c9272780d49b81c95e05ddf43/jackson-core-asl-1.9.11.jar
MD5: 49801a6d43725d5c3a1a52ca021d7dc5
SHA1: e32303ef8bd18a5c9272780d49b81c95e05ddf43
SHA256: 5fb6924b888550a9b0e8420747a93cc4ad24e03e724dcf4934c30cc0c4882ffc
Referenced In Projects/Scopes: innodb:compileClasspath innodb:runtimeClasspath innodb:default Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor Manifest bundle-symbolicname jackson-core-asl Medium Vendor Manifest specification-vendor http://www.ietf.org/rfc/rfc4627.txt Low Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor file name jackson-core-asl High Vendor jar package name codehaus Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest specification-title JSON - JavaScript Object Notation Medium Product Manifest bundle-symbolicname jackson-core-asl Medium Product Manifest Bundle-Name Jackson JSON processor Medium Product gradle artifactid jackson-core-asl Highest Product Manifest Implementation-Title Jackson JSON processor High Product jar package name jackson Low Product jar package name jackson Highest Product file name jackson-core-asl High Version Manifest Implementation-Version 1.9.11 High Version file version 1.9.11 High
jackson-core-asl-1.9.13.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-core-asl/1.9.13/3c304d70f42f832e0a86d45bd437f692129299a4/jackson-core-asl-1.9.13.jar
MD5: 319c49a4304e3fa9fe3cd8dcfc009d37
SHA1: 3c304d70f42f832e0a86d45bd437f692129299a4
SHA256: 440a9cb5ca95b215f953d3a20a6b1a10da1f09b529a9ddea5f8a4905ddab4f5a
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor Manifest bundle-symbolicname jackson-core-asl Medium Vendor Manifest specification-vendor http://www.ietf.org/rfc/rfc4627.txt Low Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor file name jackson-core-asl High Vendor jar package name codehaus Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest specification-title JSON - JavaScript Object Notation Medium Product Manifest bundle-symbolicname jackson-core-asl Medium Product Manifest Bundle-Name Jackson JSON processor Medium Product gradle artifactid jackson-core-asl Highest Product Manifest Implementation-Title Jackson JSON processor High Product jar package name jackson Low Product jar package name jackson Highest Product file name jackson-core-asl High Version Manifest Implementation-Version 1.9.13 High Version file version 1.9.13 High
jackson-databind-2.10.0.jarDescription:
General data-binding functionality for Jackson: works on core streaming API License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar
MD5: 195bfa368ad502b05427d9fb0346735d
SHA1: 1127c9cf62f2bb3121a3a2a0a1351d251a602117
SHA256: 8e6c566c67fc61a96c5dfc4a71d430f2565765778ec9a6ef216c5460a9911b60
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom groupid fasterxml.jackson.core Highest Vendor Manifest specification-vendor FasterXML Low Vendor pom name jackson-databind High Vendor Manifest implementation-build-date 2019-09-26 03:19:54+0000 Low Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.core Medium Vendor jar package name jackson Highest Vendor jar package name fasterxml Highest Vendor pom artifactid jackson-databind Low Vendor jar package name databind Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom url http://github.com/FasterXML/jackson Highest Vendor pom parent-groupid com.fasterxml.jackson Medium Vendor pom parent-artifactid jackson-base Low Vendor gradle groupid com.fasterxml.jackson.core Highest Vendor Manifest bundle-docurl http://github.com/FasterXML/jackson Low Vendor Manifest Implementation-Vendor FasterXML High Vendor file name jackson-databind High Vendor Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Product hint analyzer product modules Highest Product pom parent-artifactid jackson-base Medium Product Manifest Implementation-Title jackson-databind High Product pom groupid fasterxml.jackson.core Highest Product pom artifactid jackson-databind Highest Product Manifest specification-title jackson-databind Medium Product gradle artifactid jackson-databind Highest Product pom name jackson-databind High Product hint analyzer product java8 Highest Product Manifest implementation-build-date 2019-09-26 03:19:54+0000 Low Product jar package name jackson Highest Product jar package name fasterxml Highest Product pom url http://github.com/FasterXML/jackson Medium Product jar package name databind Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom parent-groupid com.fasterxml.jackson Medium Product Manifest bundle-docurl http://github.com/FasterXML/jackson Low Product file name jackson-databind High Product Manifest bundle-symbolicname com.fasterxml.jackson.core.jackson-databind Medium Product Manifest Bundle-Name jackson-databind Medium Version pom version 2.10.0 Highest Version Manifest Bundle-Version 2.10.0 High Version gradle version 2.10.0 Highest Version file version 2.10.0 High Version Manifest Implementation-Version 2.10.0 High
Published Vulnerabilities CVE-2020-25649 suppress
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
jackson-dataformat-yaml-2.10.0.jarDescription:
Support for reading and writing YAML-encoded data via Jackson abstractions.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.10.0/601e067f98b39f7991f66d99a3228044b9bf37c8/jackson-dataformat-yaml-2.10.0.jar
MD5: bf7bf4a029e965435d9bb1dbf8dc60b1
SHA1: 601e067f98b39f7991f66d99a3228044b9bf37c8
SHA256: 235cb6f2816d55aa5e8a1c6e37b142cfc2bd5e459aa733820d68e736b6527f7c
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname com.fasterxml.jackson.dataformat.jackson-dataformat-yaml Medium Vendor pom parent-groupid com.fasterxml.jackson.dataformat Medium Vendor pom artifactid jackson-dataformat-yaml Low Vendor Manifest specification-vendor FasterXML Low Vendor gradle groupid com.fasterxml.jackson.dataformat Highest Vendor jar package name yaml Highest Vendor Manifest implementation-build-date 2019-09-26 21:12:50+0000 Low Vendor pom name Jackson-dataformat-YAML High Vendor jar package name jackson Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-dataformats-text Low Vendor jar package name fasterxml Highest Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.dataformat Medium Vendor jar package name dataformat Highest Vendor pom groupid fasterxml.jackson.dataformat Highest Vendor pom parent-artifactid jackson-dataformats-text Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom url FasterXML/jackson-dataformats-text Highest Vendor file name jackson-dataformat-yaml High Vendor Manifest Implementation-Vendor FasterXML High Product Manifest bundle-symbolicname com.fasterxml.jackson.dataformat.jackson-dataformat-yaml Medium Product pom parent-groupid com.fasterxml.jackson.dataformat Medium Product jar package name yaml Highest Product Manifest implementation-build-date 2019-09-26 21:12:50+0000 Low Product pom artifactid jackson-dataformat-yaml Highest Product pom name Jackson-dataformat-YAML High Product jar package name jackson Highest Product Manifest bundle-docurl https://github.com/FasterXML/jackson-dataformats-text Low Product gradle artifactid jackson-dataformat-yaml Highest Product jar package name fasterxml Highest Product Manifest specification-title Jackson-dataformat-YAML Medium Product jar package name dataformat Highest Product pom groupid fasterxml.jackson.dataformat Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest Implementation-Title Jackson-dataformat-YAML High Product file name jackson-dataformat-yaml High Product pom parent-artifactid jackson-dataformats-text Medium Product pom url FasterXML/jackson-dataformats-text High Product Manifest Bundle-Name Jackson-dataformat-YAML Medium Version pom version 2.10.0 Highest Version Manifest Bundle-Version 2.10.0 High Version gradle version 2.10.0 Highest Version file version 2.10.0 High Version Manifest Implementation-Version 2.10.0 High
jackson-jaxrs-1.8.3.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-jaxrs/1.8.3/3604ca9f572170e2ef5813141ec1f0e0100efd19/jackson-jaxrs-1.8.3.jar
MD5: 7634227657d2414a0c65e0818b30d5ed
SHA1: 3604ca9f572170e2ef5813141ec1f0e0100efd19
SHA256: cadd12137aaf121722630d00117df63e34afc5b3dab5be68c921740114a05fba
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname jackson-jaxrs Medium Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor jar package name jaxrs Low Vendor file name jackson-jaxrs High Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name jaxrs Highest Vendor jar package name codehaus Low Product Manifest bundle-symbolicname jackson-jaxrs Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest Bundle-Name JAX-RS provider for JSON content type, using Jackson data binding Medium Product jar package name jaxrs Low Product gradle artifactid jackson-jaxrs Highest Product file name jackson-jaxrs High Product Manifest Implementation-Title JAX-RS provider for JSON content type, using Jackson data binding High Product jar package name jackson Low Product jar package name jackson Highest Product jar package name jaxrs Highest Version file version 1.8.3 High Version Manifest Implementation-Version 1.8.3 High
Published Vulnerabilities CVE-2018-7489 suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
jackson-jaxrs-1.9.13.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-jaxrs/1.9.13/534d72d2b9d6199dd531dfb27083dd4844082bba/jackson-jaxrs-1.9.13.jar
MD5: 8481e1904d9bfe974157a6af04b4445e
SHA1: 534d72d2b9d6199dd531dfb27083dd4844082bba
SHA256: 1770570a6ba5c87a4795c0aeb40ee7c5fe5e31df64ef1d4795a0d427796b84bb
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname jackson-jaxrs Medium Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor jar package name jaxrs Low Vendor file name jackson-jaxrs High Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name jaxrs Highest Vendor jar package name codehaus Low Product Manifest bundle-symbolicname jackson-jaxrs Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest Bundle-Name JAX-RS provider for JSON content type, using Jackson data binding Medium Product jar package name jaxrs Low Product gradle artifactid jackson-jaxrs Highest Product file name jackson-jaxrs High Product Manifest Implementation-Title JAX-RS provider for JSON content type, using Jackson data binding High Product jar package name jackson Low Product jar package name jackson Highest Product jar package name jaxrs Highest Version Manifest Implementation-Version 1.9.13 High Version file version 1.9.13 High
Published Vulnerabilities CVE-2018-7489 suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
jackson-mapper-asl-1.8.8.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.8.8/1bb32d9d2527c083a56e234acca49a48d3c65c8/jackson-mapper-asl-1.8.8.jar
MD5: 3e6795b01c7b5fa40eeae9fe4eb7b523
SHA1: 01bb32d9d2527c083a56e234acca49a48d3c65c8
SHA256: 56436abd3e06c45e496b8604fd3f3b0f22451a9b5de8433b6f8b416e7a14a048
Referenced In Projects/Scopes: pig:runtimeClasspath pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor file name jackson-mapper-asl High Vendor Manifest bundle-symbolicname jackson-mapper-asl Medium Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name codehaus Low Vendor jar package name map Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest Bundle-Name Data mapper for Jackson JSON processor Medium Product file name jackson-mapper-asl High Product Manifest bundle-symbolicname jackson-mapper-asl Medium Product jar package name jackson Low Product jar package name jackson Highest Product Manifest Implementation-Title Data mapper for Jackson JSON processor High Product gradle artifactid jackson-mapper-asl Highest Product jar package name map Low Version Manifest Implementation-Version 1.8.8 High Version file version 1.8.8 High
Published Vulnerabilities CVE-2017-15095 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2017-17485 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2017-7525 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2018-1000873 (OSSINDEX) suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2018-14718 (OSSINDEX) suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2018-5968 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2018-7489 (OSSINDEX) suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2019-14540 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2019-14893 (OSSINDEX) suppress
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2019-16335 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* CVE-2019-17267 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.8.8:*:*:*:*:*:*:* jackson-mapper-asl-1.9.11.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.11/45d70862fa016993193075a1e8e32a01dcf438e8/jackson-mapper-asl-1.9.11.jar
MD5: 8f10143a94de3e786dd53db10fa54598
SHA1: 45d70862fa016993193075a1e8e32a01dcf438e8
SHA256: 246ee4dcb26cb040608eab5d978efe2618564568923c0a98e6118f8858b31def
Referenced In Projects/Scopes: innodb:compileClasspath innodb:runtimeClasspath innodb:default Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor file name jackson-mapper-asl High Vendor Manifest bundle-symbolicname jackson-mapper-asl Medium Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name codehaus Low Vendor jar package name map Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest Bundle-Name Data mapper for Jackson JSON processor Medium Product file name jackson-mapper-asl High Product Manifest bundle-symbolicname jackson-mapper-asl Medium Product jar package name jackson Low Product jar package name jackson Highest Product Manifest Implementation-Title Data mapper for Jackson JSON processor High Product gradle artifactid jackson-mapper-asl Highest Product jar package name map Low Version Manifest Implementation-Version 1.9.11 High Version file version 1.9.11 High
Published Vulnerabilities CVE-2017-15095 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2017-17485 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2017-7525 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2018-1000873 (OSSINDEX) suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2018-14718 (OSSINDEX) suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2018-5968 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2018-7489 (OSSINDEX) suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2019-10172 suppress
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-14540 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2019-14893 (OSSINDEX) suppress
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2019-16335 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* CVE-2019-17267 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.11:*:*:*:*:*:*:* jackson-mapper-asl-1.9.13.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar
MD5: 1750f9c339352fc4b728d61b57171613
SHA1: 1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7
SHA256: 74e7a07a76f2edbade29312a5a2ebccfa019128bc021ece3856d76197e9be0c2
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor file name jackson-mapper-asl High Vendor Manifest bundle-symbolicname jackson-mapper-asl Medium Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name codehaus Low Vendor jar package name map Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest Bundle-Name Data mapper for Jackson JSON processor Medium Product file name jackson-mapper-asl High Product Manifest bundle-symbolicname jackson-mapper-asl Medium Product jar package name jackson Low Product jar package name jackson Highest Product Manifest Implementation-Title Data mapper for Jackson JSON processor High Product gradle artifactid jackson-mapper-asl Highest Product jar package name map Low Version Manifest Implementation-Version 1.9.13 High Version file version 1.9.13 High
Published Vulnerabilities CVE-2017-15095 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2017-17485 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2017-7525 (OSSINDEX) suppress
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2018-1000873 (OSSINDEX) suppress
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2018-14718 (OSSINDEX) suppress
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2018-5968 (OSSINDEX) suppress
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2018-7489 (OSSINDEX) suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2019-10172 suppress
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-14540 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2019-14893 (OSSINDEX) suppress
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2019-16335 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* CVE-2019-17267 (OSSINDEX) suppress
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.codehaus.jackson:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:* jackson-module-paranamer-2.10.0.jarDescription:
AnnotationIntrospectors that use Paranamer (http://paranamer.codehaus.org)
to introspect names of constructor (and factory method) parameters.
License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.module/jackson-module-paranamer/2.10.0/4fc4ba10b328a53ac5653cee15504621c6b66083/jackson-module-paranamer-2.10.0.jar
MD5: e3076d5b57027a2ff197335bd3d743d4
SHA1: 4fc4ba10b328a53ac5653cee15504621c6b66083
SHA256: dc9eee4074dd07ee3b1659bd1ace067cc67a0329ddee426b8499ec40226d881f
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name paranamer Highest Vendor pom parent-artifactid jackson-modules-base Low Vendor pom name Jackson module: Paranamer High Vendor Manifest specification-vendor FasterXML Low Vendor Manifest implementation-build-date 2019-09-26 06:18:14+0000 Low Vendor pom url FasterXML/jackson-modules-base Highest Vendor jar package name jackson Highest Vendor Manifest bundle-symbolicname com.fasterxml.jackson.module.jackson-module-paranamer Medium Vendor jar package name fasterxml Highest Vendor pom groupid fasterxml.jackson.module Highest Vendor file name jackson-module-paranamer High Vendor pom parent-groupid com.fasterxml.jackson.module Medium Vendor gradle groupid com.fasterxml.jackson.module Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom artifactid jackson-module-paranamer Low Vendor Manifest Implementation-Vendor-Id com.fasterxml.jackson.module Medium Vendor Manifest Implementation-Vendor FasterXML High Vendor jar package name module Highest Vendor Manifest bundle-docurl https://github.com/FasterXML/jackson-modules-base Low Product jar package name paranamer Highest Product pom name Jackson module: Paranamer High Product pom url FasterXML/jackson-modules-base High Product Manifest implementation-build-date 2019-09-26 06:18:14+0000 Low Product jar package name jackson Highest Product Manifest specification-title Jackson module: Paranamer Medium Product Manifest bundle-symbolicname com.fasterxml.jackson.module.jackson-module-paranamer Medium Product jar package name fasterxml Highest Product pom groupid fasterxml.jackson.module Highest Product file name jackson-module-paranamer High Product Manifest Implementation-Title Jackson module: Paranamer High Product pom parent-groupid com.fasterxml.jackson.module Medium Product gradle artifactid jackson-module-paranamer Highest Product pom parent-artifactid jackson-modules-base Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest Bundle-Name Jackson module: Paranamer Medium Product pom artifactid jackson-module-paranamer Highest Product jar package name module Highest Product Manifest bundle-docurl https://github.com/FasterXML/jackson-modules-base Low Version pom version 2.10.0 Highest Version Manifest Bundle-Version 2.10.0 High Version gradle version 2.10.0 Highest Version file version 2.10.0 High Version Manifest Implementation-Version 2.10.0 High
jackson-module-scala_2.10-2.10.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.module/jackson-module-scala_2.10/2.10.0/bb3cc67f3ff6c8a1ebddfdecdc5eeecfd05bec7d/jackson-module-scala_2.10-2.10.0.jarMD5: f3848d15fb91e5c626c9f0ddeabea57aSHA1: bb3cc67f3ff6c8a1ebddfdecdc5eeecfd05bec7dSHA256: cdb14b18f13ec74bf908532f38629d75ba7744ec2255ee5ebc5bd7f76b5fe623Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid com.fasterxml.jackson.module Highest Vendor file name jackson-module-scala_2.10-2.10.0 High Vendor Manifest bundle-symbolicname com.fasterxml.jackson.module.jackson.module.scala Medium Vendor jar package name scala Highest Vendor jar package name fasterxml Low Vendor jar package name module Low Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name fasterxml Highest Vendor jar package name module Highest Product file name jackson-module-scala_2.10-2.10.0 High Product Manifest bundle-symbolicname com.fasterxml.jackson.module.jackson.module.scala Medium Product Manifest Bundle-Name com.fasterxml.jackson.module.jackson.module.scala Medium Product jar package name scala Highest Product jar package name module Low Product jar package name jackson Low Product jar package name scala Low Product jar package name jackson Highest Product jar package name fasterxml Highest Product jar package name module Highest Product gradle artifactid jackson-module-scala_2.10 Highest Version Manifest Bundle-Version 2.10.0 High Version gradle version 2.10.0 Highest
jackson-xc-1.8.3.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-xc/1.8.3/1226667dcdb7c259b3ee07e112ed83446554516e/jackson-xc-1.8.3.jar
MD5: 0ee32b08580654d69147ecfab0321270
SHA1: 1226667dcdb7c259b3ee07e112ed83446554516e
SHA256: e25789f6d6e0c60c0f46f89d33586190bef23626d9efd3b5d41fe42b45afec96
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor Manifest bundle-symbolicname jackson-xc Medium Vendor file name jackson-xc High Vendor jar package name xc Low Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name xc Highest Vendor jar package name codehaus Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest bundle-symbolicname jackson-xc Medium Product Manifest Implementation-Title XML Compatibility extensions for Jackson data binding High Product file name jackson-xc High Product gradle artifactid jackson-xc Highest Product jar package name xc Low Product Manifest Bundle-Name XML Compatibility extensions for Jackson data binding Medium Product jar package name jackson Low Product jar package name jackson Highest Product jar package name xc Highest Version file version 1.8.3 High Version Manifest Implementation-Version 1.8.3 High
Published Vulnerabilities CVE-2018-7489 suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
jackson-xc-1.9.13.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-xc/1.9.13/e3480072bc95c202476ffa1de99ff7ee9149f29c/jackson-xc-1.9.13.jar
MD5: 49f6a735bae30745dcf5ecec27090720
SHA1: e3480072bc95c202476ffa1de99ff7ee9149f29c
SHA256: 2d2905fcec7d1c55b775995617685dbb03672350704d9e40b492eab5b54d0be7
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.codehaus.jackson Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Vendor Manifest Implementation-Vendor http://fasterxml.com High Vendor Manifest bundle-symbolicname jackson-xc Medium Vendor file name jackson-xc High Vendor jar package name xc Low Vendor jar package name jackson Low Vendor jar package name jackson Highest Vendor jar package name xc Highest Vendor jar package name codehaus Low Product Manifest bundle-requiredexecutionenvironment J2SE-1.5, JavaSE-1.6 Low Product Manifest bundle-symbolicname jackson-xc Medium Product Manifest Implementation-Title XML Compatibility extensions for Jackson data binding High Product file name jackson-xc High Product gradle artifactid jackson-xc Highest Product jar package name xc Low Product Manifest Bundle-Name XML Compatibility extensions for Jackson data binding Medium Product jar package name jackson Low Product jar package name jackson Highest Product jar package name xc Highest Version Manifest Implementation-Version 1.9.13 High Version file version 1.9.13 High
Published Vulnerabilities CVE-2018-7489 suppress
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
jandex-2.2.3.Final.jarDescription:
Parent POM for JBoss projects. Provides default project build configuration. License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jboss/jandex/2.2.3.Final/d3865101f0666b63586683bd811d754517f331ab/jandex-2.2.3.Final.jar
MD5: 721b5868cfbb718dd97facc96929dde8
SHA1: d3865101f0666b63586683bd811d754517f331ab
SHA256: 0544d55ec0cb378fd8f3b20e66277f893f3094cb67e71a1ec0cce6ce150f83b3
Referenced In Projects/Scopes: plus:jandexClasspath redis:jandexClasspath splunk:jandexClasspath kafka:jandexClasspath csv:jandexClasspath core:jandexClasspath piglet:jandexClasspath linq4j:jandexClasspath babel:jandexClasspath server:jandexClasspath function:jandexClasspath geode:jandexClasspath mongodb:jandexClasspath ubenchmark:jandexClasspath innodb:jandexClasspath druid:jandexClasspath spark:jandexClasspath pig:jandexClasspath elasticsearch:jandexClasspath cassandra:jandexClasspath file:jandexClasspath Evidence Type Source Name Value Confidence Vendor file name jandex High Vendor Manifest bundle-symbolicname org.jboss.jandex Medium Vendor pom parent-groupid org.jboss Medium Vendor Manifest bundle-docurl http://www.jboss.org Low Vendor Manifest automatic-module-name org.jboss.jandex Medium Vendor pom artifactid jandex Low Vendor Manifest specification-vendor JBoss by Red Hat Low Vendor pom parent-artifactid jboss-parent Low Vendor Manifest implementation-url http://www.jboss.org/jandex Low Vendor Manifest Implementation-Vendor-Id org.jboss Medium Vendor hint analyzer vendor redhat Highest Vendor jar package name jandex Highest Vendor Manifest os-arch x86_64 Low Vendor Manifest Implementation-Vendor JBoss by Red Hat High Vendor pom groupid jboss Highest Vendor jar package name jboss Highest Vendor Manifest java-vendor AdoptOpenJDK Medium Vendor pom name Java Annotation Indexer High Vendor jar package name indexer Highest Vendor gradle groupid org.jboss Highest Vendor Manifest build-timestamp Fri, 22 Jan 2021 15:14:59 -0600 Low Vendor Manifest os-name Mac OS X Medium Product Manifest Bundle-Name Java Annotation Indexer Medium Product gradle artifactid jandex Highest Product file name jandex High Product Manifest bundle-symbolicname org.jboss.jandex Medium Product pom parent-groupid org.jboss Medium Product Manifest bundle-docurl http://www.jboss.org Low Product Manifest automatic-module-name org.jboss.jandex Medium Product pom artifactid jandex Highest Product Manifest implementation-url http://www.jboss.org/jandex Low Product jar package name jandex Highest Product pom parent-artifactid jboss-parent Medium Product Manifest os-arch x86_64 Low Product pom groupid jboss Highest Product jar package name jboss Highest Product Manifest Implementation-Title Java Annotation Indexer High Product jar package name indexer Highest Product pom name Java Annotation Indexer High Product Manifest specification-title Java Annotation Indexer Medium Product Manifest build-timestamp Fri, 22 Jan 2021 15:14:59 -0600 Low Product Manifest os-name Mac OS X Medium Version pom version 2.2.3.Final Highest Version gradle version 2.2.3.Final Highest Version Manifest Implementation-Version 2.2.3.Final High Version Manifest Bundle-Version 2.2.3.Final High Version pom parent-version 2.2.3.Final Low
janino-3.0.11.jarDescription:
The "JANINO" implementation of the "commons-compiler" API: Super-small, super-fast, independent from the JDK's "tools.jar". License:
https://raw.githubusercontent.com/janino-compiler/janino/master/LICENSE File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.janino/janino/3.0.11/e699e368095379ba0402ea1780a87fcaea16e68f/janino-3.0.11.jar
MD5: a6e6d343f1a8c5c36b1a0483e7f5fbab
SHA1: e699e368095379ba0402ea1780a87fcaea16e68f
SHA256: 9237b71d2329180e59210e9aaa100ee313454ef0ae588608c75cb19319591be1
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor file name janino High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor jar package name compiler Highest Vendor pom parent-groupid org.codehaus.janino Medium Vendor jar package name janino Highest Vendor pom groupid codehaus.janino Highest Vendor Manifest bundle-symbolicname org.codehaus.janino.janino;singleton:=true Medium Vendor pom artifactid janino Low Vendor jar package name tools Highest Vendor jar package name codehaus Highest Vendor gradle groupid org.codehaus.janino Highest Vendor pom parent-artifactid janino-parent Low Vendor Manifest require-bundle org.codehaus.janino.commons-compiler Low Vendor pom name janino High Product file name janino High Product gradle artifactid janino Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom parent-artifactid janino-parent Medium Product jar package name compiler Highest Product jar package name java Highest Product pom parent-groupid org.codehaus.janino Medium Product jar package name janino Highest Product pom groupid codehaus.janino Highest Product Manifest bundle-symbolicname org.codehaus.janino.janino;singleton:=true Medium Product Manifest Bundle-Name janino Medium Product pom artifactid janino Highest Product jar package name tools Highest Product jar package name codehaus Highest Product Manifest require-bundle org.codehaus.janino.commons-compiler Low Product pom name janino High Version gradle version 3.0.11 Highest Version Manifest Bundle-Version 3.0.11 High Version pom version 3.0.11 Highest Version file version 3.0.11 High
jansi-2.1.0.jarDescription:
Jansi is a java library for generating and interpreting ANSI escape sequences. License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.jansi/jansi/2.1.0/605acb1326439709ac32b1bdf7c2606b9ba7fc35/jansi-2.1.0.jar
MD5: 31bc4466e404217ca889f933a5540780
SHA1: 605acb1326439709ac32b1bdf7c2606b9ba7fc35
SHA256: d207c1114741e7544a8f17c07b53d91689c0716c54eaf8f3b7149e73b0ec1b09
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor file name jansi High Vendor pom url http://fusesource.github.io/jansi Highest Vendor Manifest automatic-module-name org.fusesource.jansi Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.fusesource.jansi Highest Vendor pom parent-artifactid fusesource-pom Low Vendor Manifest build-jdk-spec 11 Low Vendor Manifest bundle-docurl http://fusesource.com/ Low Vendor pom parent-groupid org.fusesource Medium Vendor pom groupid fusesource.jansi Highest Vendor jar package name jansi Highest Vendor jar package name fusesource Highest Vendor pom artifactid jansi Low Vendor Manifest bundle-symbolicname org.fusesource.jansi Medium Vendor pom name ${project.artifactId} High Vendor Manifest Implementation-Vendor FuseSource, Corp. High Product pom url http://fusesource.github.io/jansi Medium Product file name jansi High Product Manifest automatic-module-name org.fusesource.jansi Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest Implementation-Title jansi High Product Manifest specification-title jansi Medium Product Manifest build-jdk-spec 11 Low Product gradle artifactid jansi Highest Product Manifest bundle-docurl http://fusesource.com/ Low Product pom parent-groupid org.fusesource Medium Product pom groupid fusesource.jansi Highest Product jar package name jansi Highest Product pom artifactid jansi Highest Product jar package name fusesource Highest Product pom parent-artifactid fusesource-pom Medium Product Manifest bundle-symbolicname org.fusesource.jansi Medium Product pom name ${project.artifactId} High Product Manifest Bundle-Name jansi Medium Version Manifest Bundle-Version 2.1.0 High Version pom parent-version 2.1.0 Low Version pom version 2.1.0 Highest Version gradle version 2.1.0 Highest Version Manifest Implementation-Version 2.1.0 High Version file version 2.1.0 High
jansi-2.1.0.jar: jansi.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.jansi/jansi/2.1.0/605acb1326439709ac32b1bdf7c2606b9ba7fc35/jansi-2.1.0.jar/org/fusesource/jansi/internal/native/Windows/x86/jansi.dllMD5: e8bf1138582700f9afe059280cd467fbSHA1: 32d0860dd100696a4d54e88cf85260754c0353d9SHA256: 2125247b103311c1cdcc1a874e1f75708d32c4bfcb8c7509ceb014270391e8d8Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor file name jansi High Product file name jansi High
jansi-2.1.0.jar: jansi.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.jansi/jansi/2.1.0/605acb1326439709ac32b1bdf7c2606b9ba7fc35/jansi-2.1.0.jar/org/fusesource/jansi/internal/native/Windows/x86_64/jansi.dllMD5: 74ff4d3bd330209ea4750ede89796deeSHA1: 7797b94128e27d3e23f337dcc1f238cc48a26d31SHA256: 2c360d7eb9865c6dd2ad0d6a6cf6dbc06d416d936df0c339697e49655a13cb33Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor file name jansi High Product file name jansi High
jasper-compiler-5.5.12.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/tomcat/jasper-compiler/5.5.12/c594866c64565344c0e7bdc9bf4fee70290c4dd5/jasper-compiler-5.5.12.jarMD5: 09f7545f0006619925988d0da8f28960SHA1: c594866c64565344c0e7bdc9bf4fee70290c4dd5SHA256: 57667b14a10f91ced8f6ec38881708b898211fd0faba597c312fd1d1c8c6c0a3Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid tomcat Highest Vendor file name jasper-compiler High Vendor jar package name jasper Low Vendor jar package name apache Low Vendor jar package name compiler Low Product file name jasper-compiler High Product jar package name jasper Low Product gradle artifactid jasper-compiler Highest Product jar package name compiler Low Version gradle version 5.5.12 Highest Version file name jasper-compiler Medium Version file version 5.5.12 High
jasper-runtime-5.5.12.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/tomcat/jasper-runtime/5.5.12/f3a50a55414655b9843f5a089923ea83d49dc55e/jasper-runtime-5.5.12.jarMD5: 00106504f4cb72c3d59f917209cfb6c3SHA1: f3a50a55414655b9843f5a089923ea83d49dc55eSHA256: 128aa292e50cd956e8c7bbda90b7e220d044097771ed5d62ebbd5d37253ebef4Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid tomcat Highest Vendor jar package name jasper Low Vendor jar package name apache Low Vendor file name jasper-runtime High Vendor jar package name runtime Low Product gradle artifactid jasper-runtime Highest Product jar package name jasper Low Product file name jasper-runtime High Product jar package name runtime Low Version gradle version 5.5.12 Highest Version file version 5.5.12 High Version file name jasper-runtime Medium
java-xmlbuilder-0.4.jarDescription:
XML Builder is a utility that creates simple XML documents using relatively sparse Java code License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jamesmurty.utils/java-xmlbuilder/0.4/ac5962e48cdee3a0a6e1f8e00fcb594747ac5aaf/java-xmlbuilder-0.4.jar
MD5: 0fa474213a6a0282cd9264f6e0dd3658
SHA1: ac5962e48cdee3a0a6e1f8e00fcb594747ac5aaf
SHA256: 681e53c4ffd59fa12068803b259e3a83d43f07a47c112e748a187dee179eb31f
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor pom url http://code.google.com/p/java-xmlbuilder/ Highest Vendor gradle groupid com.jamesmurty.utils Highest Vendor pom name java-xmlbuilder High Vendor pom groupid jamesmurty.utils Highest Vendor jar package name jamesmurty Highest Vendor jar package name base64 Low Vendor jar package name utils Highest Vendor jar package name xmlbuilder Highest Vendor jar package name net Low Vendor jar package name iharder Low Vendor file name java-xmlbuilder High Vendor pom artifactid java-xmlbuilder Low Product pom groupid jamesmurty.utils Highest Product jar package name jamesmurty Highest Product jar package name base64 Low Product jar package name utils Highest Product jar package name xmlbuilder Highest Product pom artifactid java-xmlbuilder Highest Product jar package name iharder Low Product file name java-xmlbuilder High Product gradle artifactid java-xmlbuilder Highest Product pom url http://code.google.com/p/java-xmlbuilder/ Medium Product pom name java-xmlbuilder High Version file version 0.4 High Version pom version 0.4 Highest Version gradle version 0.4 Highest
java-xmlbuilder-1.0.jarDescription:
XML Builder is a utility that creates simple XML documents using relatively sparse Java code License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jamesmurty.utils/java-xmlbuilder/1.0/4a6507aa7da3d7db5dd23eedf1185649384c3bc3/java-xmlbuilder-1.0.jar
MD5: 25be2879ad6fd58e5cb834f74be34e08
SHA1: 4a6507aa7da3d7db5dd23eedf1185649384c3bc3
SHA256: a26cb9ba3c57c84864125a584a3b0f437c8d291e33aa900b133c89f55fcf3343
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name jamesmurty Low Vendor pom groupid jamesmurty.utils Highest Vendor jar package name jamesmurty Highest Vendor pom url jmurty/java-xmlbuilder Highest Vendor jar package name utils Highest Vendor jar package name xmlbuilder Highest Vendor file name java-xmlbuilder High Vendor pom artifactid java-xmlbuilder Low Vendor gradle groupid com.jamesmurty.utils Highest Vendor pom name java-xmlbuilder High Vendor jar package name utils Low Product pom groupid jamesmurty.utils Highest Product jar package name jamesmurty Highest Product jar package name utils Highest Product jar package name xmlbuilder Highest Product pom artifactid java-xmlbuilder Highest Product pom url jmurty/java-xmlbuilder High Product file name java-xmlbuilder High Product gradle artifactid java-xmlbuilder Highest Product pom name java-xmlbuilder High Product jar package name utils Low Version file version 1.0 High Version pom version 1.0 Highest Version gradle version 1.0 Highest
javacc-4.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.javacc/javacc/4.0/55440b393a188c8efa26db43a8292204c15d1dbc/javacc-4.0.jarMD5: 98f9f2361d61f106a2d65e5d302eefbdSHA1: 55440b393a188c8efa26db43a8292204c15d1dbcSHA256: cfbab2d6acdb3764e2bcb5c0842a59f583cb5e8ba2eb5c13a8db98368aadcc2fReferenced In Projects/Scopes:
core:javaccClaspath babel:javaccClaspath piglet:javaccClaspath server:javaccClaspath Evidence Type Source Name Value Confidence Vendor jar package name javacc Low Vendor file name javacc High Vendor gradle groupid net.java.dev.javacc Highest Product file name javacc High Product gradle artifactid javacc Highest Version file name javacc Medium Version gradle version 4.0 Highest Version file version 4.0 High
javassist-3.18.1-GA.jarDescription:
Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
simple. It is a class library for editing bytecodes in Java.
License:
MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html
LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Apache License 2.0: http://www.apache.org/licenses/ File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.javassist/javassist/3.18.1-GA/d9a09f7732226af26bf99f19e2cffe0ae219db5b/javassist-3.18.1-GA.jar
MD5: 5bb83868c87334320562af7eded65cc2
SHA1: d9a09f7732226af26bf99f19e2cffe0ae219db5b
SHA256: 3fb71231afd098bb0f93f5eb97aa8291c8d0556379125e596f92ec8f944c6162
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Javassist High Vendor file name javassist High Vendor pom groupid javassist Highest Vendor pom url http://www.javassist.org/ Highest Vendor jar package name javassist Highest Vendor jar package name bytecode Highest Vendor pom artifactid javassist Low Vendor gradle groupid org.javassist Highest Vendor Manifest bundle-symbolicname javassist Medium Vendor Manifest specification-vendor Shigeru Chiba, www.javassist.org Low Product gradle artifactid javassist Highest Product pom name Javassist High Product pom url http://www.javassist.org/ Medium Product file name javassist High Product pom groupid javassist Highest Product jar package name javassist Highest Product jar package name bytecode Highest Product Manifest bundle-symbolicname javassist Medium Product Manifest Bundle-Name Javassist Medium Product pom artifactid javassist Highest Product Manifest specification-title Javassist Medium Version gradle version 3.18.1-GA Highest Version pom version 3.18.1-GA Highest
javax.activation-1.2.0.jarDescription:
JavaBeans Activation Framework License:
https://github.com/javaee/activation/blob/master/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.activation/javax.activation/1.2.0/bf744c1e2776ed1de3c55c8dac1057ec331ef744/javax.activation-1.2.0.jar
MD5: be7c430df50b330cffc4848a3abedbfb
SHA1: bf744c1e2776ed1de3c55c8dac1057ec331ef744
SHA256: 993302b16cd7056f21e779cc577d175a810bb4900ef73cd8fbf2b50f928ba9ce
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest extension-name javax.activation Medium Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest automatic-module-name java.activation Medium Vendor file name javax.activation High Vendor jar package name sun Highest Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest originally-created-by 1.8.0_141 (Oracle Corporation) Low Vendor Manifest (hint) specification-vendor sun Low Vendor pom parent-artifactid all Low Vendor jar package name activation Highest Vendor Manifest specification-vendor Oracle Low Vendor pom groupid sun.activation Highest Vendor jar package name javax Highest Vendor pom parent-groupid com.sun.activation Medium Vendor gradle groupid com.sun.activation Highest Vendor pom artifactid javax.activation Low Vendor pom name JavaBeans Activation Framework High Vendor jar (hint) package name oracle Highest Vendor Manifest (hint) Implementation-Vendor sun High Vendor Manifest bundle-symbolicname com.sun.activation.javax.activation Medium Product Manifest extension-name javax.activation Medium Product gradle artifactid javax.activation Highest Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest automatic-module-name java.activation Medium Product file name javax.activation High Product jar package name sun Highest Product Manifest originally-created-by 1.8.0_141 (Oracle Corporation) Low Product Manifest Implementation-Title javax.activation High Product pom artifactid javax.activation Highest Product Manifest Bundle-Name JavaBeans Activation Framework Medium Product jar package name activation Highest Product Manifest specification-title JavaBeans(TM) Activation Framework Specification Medium Product pom groupid sun.activation Highest Product jar package name javax Highest Product pom parent-groupid com.sun.activation Medium Product pom name JavaBeans Activation Framework High Product pom parent-artifactid all Medium Product Manifest bundle-symbolicname com.sun.activation.javax.activation Medium Version gradle version 1.2.0 Highest Version Manifest Implementation-Version 1.2.0 High Version Manifest Bundle-Version 1.2.0 High Version pom version 1.2.0 Highest Version file version 1.2.0 High
javax.activation-api-1.2.0.jarDescription:
JavaBeans Activation Framework API jar License:
https://github.com/javaee/activation/blob/master/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.activation/javax.activation-api/1.2.0/85262acf3ca9816f9537ca47d5adeabaead7cb16/javax.activation-api-1.2.0.jar
MD5: 5e50e56bcf4a3ef3bc758f69f7643c3b
SHA1: 85262acf3ca9816f9537ca47d5adeabaead7cb16
SHA256: 43fdef0b5b6ceb31b0424b208b930c74ab58fac2ceeb7b3f6fd3aeb8b5ca4393
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor Manifest extension-name javax.activation Medium Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor Manifest automatic-module-name java.activation Medium Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest originally-created-by 1.8.0_141 (Oracle Corporation) Low Vendor Manifest (hint) specification-vendor sun Low Vendor pom groupid javax.activation Highest Vendor pom parent-artifactid all Low Vendor jar package name activation Highest Vendor Manifest specification-vendor Oracle Low Vendor pom name JavaBeans Activation Framework API jar High Vendor pom artifactid javax.activation-api Low Vendor gradle groupid javax.activation Highest Vendor jar package name javax Highest Vendor file name javax.activation-api High Vendor pom parent-groupid com.sun.activation Medium Vendor Manifest (hint) Implementation-Vendor sun High Vendor Manifest bundle-symbolicname javax.activation-api Medium Product Manifest extension-name javax.activation Medium Product Manifest bundle-docurl http://www.oracle.com Low Product Manifest automatic-module-name java.activation Medium Product Manifest originally-created-by 1.8.0_141 (Oracle Corporation) Low Product pom artifactid javax.activation-api Highest Product pom groupid javax.activation Highest Product Manifest specification-title javax.activation.javax.activation-api Medium Product Manifest Bundle-Name JavaBeans Activation Framework API jar Medium Product Manifest Implementation-Title javax.activation.javax.activation-api High Product jar package name activation Highest Product pom name JavaBeans Activation Framework API jar High Product jar package name javax Highest Product file name javax.activation-api High Product pom parent-groupid com.sun.activation Medium Product pom parent-artifactid all Medium Product gradle artifactid javax.activation-api Highest Product Manifest bundle-symbolicname javax.activation-api Medium Version gradle version 1.2.0 Highest Version Manifest Implementation-Version 1.2.0 High Version Manifest Bundle-Version 1.2.0 High Version pom version 1.2.0 Highest Version file version 1.2.0 High
javax.annotation-api-1.2.jarDescription:
Common Annotations for the JavaTM Platform API License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.2/479c1e06db31c432330183f5cae684163f186146/javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256: 5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid javax.annotation-api Low Vendor Manifest bundle-symbolicname javax.annotation-api Medium Vendor jar package name annotation Highest Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom organization url https://glassfish.java.net Medium Vendor Manifest bundle-docurl https://glassfish.java.net Low Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor pom parent-artifactid jvnet-parent Low Vendor jar package name javax Highest Vendor pom organization name GlassFish Community High Vendor pom parent-groupid net.java Medium Vendor gradle groupid javax.annotation Highest Vendor file name javax.annotation-api High Vendor Manifest extension-name javax.annotation Medium Vendor Manifest Implementation-Vendor GlassFish Community High Vendor pom name ${extension.name} API High Vendor pom groupid javax.annotation Highest Vendor pom url http://jcp.org/en/jsr/detail?id=250 Highest Product Manifest bundle-symbolicname javax.annotation-api Medium Product pom organization name GlassFish Community Low Product jar package name annotation Highest Product Manifest bundle-docurl https://glassfish.java.net Low Product Manifest Bundle-Name javax.annotation API Medium Product jar package name javax Highest Product pom parent-groupid net.java Medium Product gradle artifactid javax.annotation-api Highest Product pom url http://jcp.org/en/jsr/detail?id=250 Medium Product file name javax.annotation-api High Product Manifest extension-name javax.annotation Medium Product pom parent-artifactid jvnet-parent Medium Product pom organization url https://glassfish.java.net Low Product pom name ${extension.name} API High Product pom groupid javax.annotation Highest Product pom artifactid javax.annotation-api Highest Version file version 1.2 High Version Manifest Bundle-Version 1.2 High Version Manifest Implementation-Version 1.2 High Version pom version 1.2 Highest Version gradle version 1.2 Highest Version pom parent-version 1.2 Low
javax.inject-1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.inject/javax.inject/1/6975da39a7040257bd51d21a231b76c915872d38/javax.inject-1.jarMD5: 289075e48b909e9e74e6c915b3631d2eSHA1: 6975da39a7040257bd51d21a231b76c915872d38SHA256: 91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ffReferenced In Projects/Scopes:
calcite:sqllineClasspath plus:compileClasspath spark:default spark:compileClasspath plus:default plus:runtimeClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid javax.inject Highest Vendor jar package name inject Low Vendor jar package name javax Low Vendor file name javax.inject-1 High Product jar package name inject Low Product gradle artifactid javax.inject Highest Product file name javax.inject-1 High Version gradle version 1 Highest Version file version 1 Medium Version file name javax.inject-1 Medium
javax.inject-2.4.0-b34.jarDescription:
Injection API (JSR 330) version ${javax.inject.version} repackaged as OSGi bundle License:
https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2.external/javax.inject/2.4.0-b34/a6a3d4935af7b03e44126b5aac2c2a0ce98fe6e9/javax.inject-2.4.0-b34.jar
MD5: 0299609004955f54207ab8562273b5af
SHA1: a6a3d4935af7b03e44126b5aac2c2a0ce98fe6e9
SHA256: fdbf80a01b854045bd4004b7c6b1fdc2da81db475bfbd08ed574eeffcf9a7b1a
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor pom name javax.inject:${javax-inject.version} as OSGi bundle High Vendor jar package name javax Highest Vendor gradle groupid org.glassfish.hk2.external Highest Vendor pom artifactid javax.inject Low Vendor file name javax.inject High Vendor pom parent-groupid org.glassfish.hk2 Medium Vendor jar package name inject Highest Vendor Manifest bundle-symbolicname org.glassfish.hk2.external.javax.inject Medium Vendor pom groupid glassfish.hk2.external Highest Vendor pom parent-artifactid external Low Product Manifest bundle-docurl http://www.oracle.com Low Product pom name javax.inject:${javax-inject.version} as OSGi bundle High Product pom parent-groupid org.glassfish.hk2 Medium Product pom artifactid javax.inject Highest Product gradle artifactid javax.inject Highest Product Manifest bundle-symbolicname org.glassfish.hk2.external.javax.inject Medium Product jar package name javax Highest Product file name javax.inject High Product pom parent-artifactid external Medium Product jar package name inject Highest Product Manifest Bundle-Name javax.inject:1 as OSGi bundle Medium Product pom groupid glassfish.hk2.external Highest Version gradle version 2.4.0-b34 Highest Version pom version 2.4.0-b34 Highest
javax.resource-api-1.7.1.jarDescription:
Java EE Connector Architecture API License:
CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.resource/javax.resource-api/1.7.1/f86b4d697ecd992ec6c4c6053736db16d41dc57f/javax.resource-api-1.7.1.jar
MD5: 41f26638ff807ef37845d6d89ef0e694
SHA1: f86b4d697ecd992ec6c4c6053736db16d41dc57f
SHA256: c75bd698263abd9c8c773e3b433a4da2c983fbc92a0a4ef5fc3286e62f41e411
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid javax.resource Highest Vendor jar package name resource Highest Vendor Manifest specification-vendor Oracle Corporation Low Vendor Manifest bundle-symbolicname javax.resource-api Medium Vendor pom groupid javax.resource Highest Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor Manifest extension-name javax.resource Medium Vendor pom organization name Oracle Corporation High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor jar package name connector Highest Vendor pom parent-artifactid jvnet-parent Low Vendor jar package name javax Highest Vendor pom url javaee/javax.resource Highest Vendor pom organization url http://www.oracle.com/ Medium Vendor pom parent-groupid net.java Medium Vendor pom artifactid javax.resource-api Low Vendor pom name ${extension.name} API High Vendor file name javax.resource-api High Product pom artifactid javax.resource-api Highest Product jar package name resource Highest Product Manifest bundle-symbolicname javax.resource-api Medium Product pom groupid javax.resource Highest Product Manifest extension-name javax.resource Medium Product jar package name connector Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product Manifest Bundle-Name javax.resource API Medium Product gradle artifactid javax.resource-api Highest Product pom organization name Oracle Corporation Low Product jar package name javax Highest Product pom parent-groupid net.java Medium Product pom url javaee/javax.resource High Product pom organization url http://www.oracle.com/ Low Product pom parent-artifactid jvnet-parent Medium Product pom name ${extension.name} API High Product file name javax.resource-api High Version gradle version 1.7.1 Highest Version pom parent-version 1.7.1 Low Version file version 1.7.1 High Version Manifest Bundle-Version 1.7.1 High Version Manifest Implementation-Version 1.7.1 High Version pom version 1.7.1 Highest
javax.servlet-api-4.0.1.jarDescription:
Java(TM) Servlet 4.0 API Design Specification License:
CDDL + GPLv2 with classpath exception: https://oss.oracle.com/licenses/CDDL+GPL-1.1 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar
MD5: b80414033bf3397de334b95e892a2f44
SHA1: a27082684a2ff0bf397666c3943496c44541d1ca
SHA256: 83a03dd877d3674576f0da7b90755c8524af099ccf0607fc61aa971535ad7c60
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath geode:default spark:default spark:compileClasspath geode:runtimeClasspath plus:default plus:runtimeClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest extension-name javax.servlet Medium Vendor jar package name servlet Highest Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom groupid javax.servlet Highest Vendor Manifest bundle-docurl https://javaee.github.io Low Vendor pom name Java Servlet API High Vendor pom artifactid javax.servlet-api Low Vendor file name javax.servlet-api High Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor pom organization url https://javaee.github.io Medium Vendor pom parent-artifactid jvnet-parent Low Vendor jar package name javax Highest Vendor pom organization name GlassFish Community High Vendor gradle groupid javax.servlet Highest Vendor pom parent-groupid net.java Medium Vendor pom url https://javaee.github.io/servlet-spec/ Highest Vendor Manifest bundle-symbolicname javax.servlet-api Medium Vendor Manifest Implementation-Vendor GlassFish Community High Product Manifest extension-name javax.servlet Medium Product pom organization url https://javaee.github.io Low Product jar package name servlet Highest Product pom organization name GlassFish Community Low Product pom url https://javaee.github.io/servlet-spec/ Medium Product pom groupid javax.servlet Highest Product pom artifactid javax.servlet-api Highest Product Manifest bundle-docurl https://javaee.github.io Low Product pom name Java Servlet API High Product file name javax.servlet-api High Product jar package name javax Highest Product gradle artifactid javax.servlet-api Highest Product pom parent-groupid net.java Medium Product Manifest bundle-symbolicname javax.servlet-api Medium Product pom parent-artifactid jvnet-parent Medium Product Manifest Bundle-Name Java Servlet API Medium Version gradle version 4.0.1 Highest Version Manifest Implementation-Version 4.0.1 High Version pom version 4.0.1 Highest Version file version 4.0.1 High Version pom parent-version 4.0.1 Low
javax.transaction-api-1.3.jarDescription:
Project GlassFish Java Transaction API License:
CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.transaction/blob/master/LICENSE File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.transaction/javax.transaction-api/1.3/e006adf5cf3cca2181d16bd640ecb80148ec0fce/javax.transaction-api-1.3.jar
MD5: 6e9cb1684621821248b6823143ae26c0
SHA1: e006adf5cf3cca2181d16bd640ecb80148ec0fce
SHA256: 603df5e4fc1eeae8f5e5d363a8be6c1fa47d0df1df8739a05cbcb9fafd6df2da
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom groupid javax.transaction Highest Vendor Manifest extension-name javax.transaction Medium Vendor jar package name transaction Highest Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom organization url https://glassfish.java.net Medium Vendor Manifest bundle-docurl https://glassfish.java.net Low Vendor Manifest bundle-symbolicname javax.transaction-api Medium Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest automatic-module-name java.transaction Medium Vendor gradle groupid javax.transaction Highest Vendor pom parent-artifactid jvnet-parent Low Vendor jar package name javax Highest Vendor pom artifactid javax.transaction-api Low Vendor pom organization name GlassFish Community High Vendor file name javax.transaction-api High Vendor pom parent-groupid net.java Medium Vendor pom url http://jta-spec.java.net Highest Vendor Manifest Implementation-Vendor GlassFish Community High Vendor pom name ${extension.name} API High Product pom artifactid javax.transaction-api Highest Product pom groupid javax.transaction Highest Product pom organization name GlassFish Community Low Product Manifest Bundle-Name javax.transaction API Medium Product Manifest extension-name javax.transaction Medium Product jar package name transaction Highest Product Manifest bundle-docurl https://glassfish.java.net Low Product gradle artifactid javax.transaction-api Highest Product Manifest bundle-symbolicname javax.transaction-api Medium Product Manifest automatic-module-name java.transaction Medium Product jar package name javax Highest Product file name javax.transaction-api High Product pom parent-groupid net.java Medium Product pom url http://jta-spec.java.net Medium Product pom parent-artifactid jvnet-parent Medium Product pom organization url https://glassfish.java.net Low Product pom name ${extension.name} API High Version Manifest Implementation-Version 1.3 High Version Manifest Bundle-Version 1.3 High Version pom version 1.3 Highest Version gradle version 1.3 Highest Version file version 1.3 High Version pom parent-version 1.3 Low
javax.ws.rs-api-2.0.1.jarDescription:
Java API for RESTful Web Services (JAX-RS) License:
CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html
GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.ws.rs/javax.ws.rs-api/2.0.1/104e9c2b5583cfcfeac0402316221648d6d8ea6b/javax.ws.rs-api-2.0.1.jar
MD5: edcd111cf4d3ba8ac8e1f326efc37a17
SHA1: 104e9c2b5583cfcfeac0402316221648d6d8ea6b
SHA256: 38607d626f2288d8fbc1b1f8a62c369e63806d9a313ac7cbc5f9d6c94f4b466d
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest extension-name javax.ws.rs Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor hint analyzer vendor web services Medium Vendor file name javax.ws.rs-api High Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom url http://jax-rs-spec.java.net Highest Vendor pom artifactid javax.ws.rs-api Low Vendor jar package name ws Highest Vendor pom groupid javax.ws.rs Highest Vendor pom organization name Oracle Corporation High Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom parent-artifactid jvnet-parent Low Vendor pom name javax.ws.rs-api High Vendor gradle groupid javax.ws.rs Highest Vendor jar package name javax Highest Vendor pom organization url http://www.oracle.com/ Medium Vendor pom parent-groupid net.java Medium Vendor jar package name rs Highest Vendor Manifest bundle-symbolicname javax.ws.rs-api Medium Product gradle artifactid javax.ws.rs-api Highest Product Manifest extension-name javax.ws.rs Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product file name javax.ws.rs-api High Product Manifest Bundle-Name javax.ws.rs-api Medium Product jar package name ws Highest Product pom groupid javax.ws.rs Highest Product hint analyzer product web services Medium Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom name javax.ws.rs-api High Product pom organization name Oracle Corporation Low Product jar package name javax Highest Product pom parent-groupid net.java Medium Product jar package name rs Highest Product Manifest bundle-symbolicname javax.ws.rs-api Medium Product pom organization url http://www.oracle.com/ Low Product pom parent-artifactid jvnet-parent Medium Product pom url http://jax-rs-spec.java.net Medium Product pom artifactid javax.ws.rs-api Highest Version file version 2.0.1 High Version pom version 2.0.1 Highest Version Manifest Bundle-Version 2.0.1 High Version gradle version 2.0.1 Highest Version Manifest Implementation-Version 2.0.1 High Version pom parent-version 2.0.1 Low
jaxb-api-2.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.xml.bind/jaxb-api/2.2.2/aeb3021ca93dde265796d82015beecdcff95bf09/jaxb-api-2.2.2.jarMD5: a415e9a322984be1e1f8a023d09dca5fSHA1: aeb3021ca93dde265796d82015beecdcff95bf09SHA256: 30233df6215fb982d8784de91d307596748cea98d6d502293c7c3e85c1697137Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor jar package name javax Highest Vendor file name jaxb-api High Vendor Manifest extension-name javax.xml.bind Medium Vendor jar package name xml Highest Vendor jar package name bind Low Vendor gradle groupid javax.xml.bind Highest Vendor jar package name javax Low Vendor jar package name xml Low Vendor jar package name bind Highest Product Manifest specification-title Java Architecture for XML Binding Medium Product jar package name javax Highest Product file name jaxb-api High Product jar package name xml Highest Product Manifest extension-name javax.xml.bind Medium Product jar package name bind Low Product gradle artifactid jaxb-api Highest Product jar package name xml Low Product jar package name bind Highest Version file version 2.2.2 High Version Manifest specification-version 2.2.2 High Version gradle version 2.2.2 Highest Version file name jaxb-api Medium
jaxb-api-2.3.1.jarDescription:
JAXB (JSR 222) API License:
https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.xml.bind/jaxb-api/2.3.1/8531ad5ac454cc2deb9d4d32c40c4d7451939b5d/jaxb-api-2.3.1.jar
MD5: bcf270d320f645ad19f5edb60091e87f
SHA1: 8531ad5ac454cc2deb9d4d32c40c4d7451939b5d
SHA256: 88b955a0df57880a26a74708bc34f74dcaf8ebf4e78843a28b50eae945732b06
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname jaxb-api Medium Vendor file name jaxb-api High Vendor Manifest specification-vendor Oracle Corporation Low Vendor pom artifactid jaxb-api Low Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor gradle groupid javax.xml.bind Highest Vendor Manifest implementation-build-id UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700 Low Vendor Manifest Implementation-Vendor-Id org.glassfish Medium Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor jar package name bind Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))" Low Vendor pom parent-artifactid jaxb-api-parent Low Vendor jar package name javax Highest Vendor Manifest extension-name javax.xml.bind Medium Vendor jar package name xml Highest Vendor pom groupid javax.xml.bind Highest Vendor jar package name jaxb Highest Vendor Manifest multi-release true Low Product pom parent-artifactid jaxb-api-parent Medium Product Manifest bundle-symbolicname jaxb-api Medium Product file name jaxb-api High Product gradle artifactid jaxb-api Highest Product Manifest specification-title jaxb-api Medium Product Manifest implementation-build-id UNKNOWN-7de2ca118a0cfc4a373872915aef59148dff5f93, 2018-09-12T06:28:43-0700 Low Product Manifest bundle-docurl http://www.oracle.com/ Low Product jar package name bind Highest Product pom artifactid jaxb-api Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version>=1.8))" Low Product Manifest Bundle-Name jaxb-api Medium Product jar package name javax Highest Product Manifest extension-name javax.xml.bind Medium Product jar package name xml Highest Product pom groupid javax.xml.bind Highest Product jar package name jaxb Highest Product Manifest multi-release true Low Version pom version 2.3.1 Highest Version Manifest Bundle-Version 2.3.1 High Version file version 2.3.1 High Version gradle version 2.3.1 Highest
jaxb-impl-2.2.3-1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.xml.bind/jaxb-impl/2.2.3-1/56baae106392040a45a06d4a41099173425da1e6/jaxb-impl-2.2.3-1.jarMD5: 1b689e7f87caf2615c0f6a47831d0342SHA1: 56baae106392040a45a06d4a41099173425da1e6SHA256: fa3e1499b192c310312bf02881274b68394aaea4c9563e6c554cc406ae644ff8Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor jar package name sun Highest Vendor jar (hint) package name oracle Low Vendor Manifest specification-vendor Oracle Corporation Low Vendor Manifest extension-name com.sun.xml.bind Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor gradle groupid com.sun.xml.bind Highest Vendor jar package name xml Low Vendor file name jaxb-impl High Vendor jar package name bind Highest Vendor jar package name sun Low Vendor jar package name xml Highest Vendor jar package name bind Low Vendor jar (hint) package name oracle Highest Product Manifest specification-title Java Architecture for XML Binding Medium Product jar package name sun Highest Product jar package name xml Highest Product gradle artifactid jaxb-impl Highest Product jar package name v2 Low Product Manifest extension-name com.sun.xml.bind Medium Product jar package name bind Low Product jar package name xml Low Product file name jaxb-impl High Product Manifest Implementation-Title JAXB Reference Implementation High Product jar package name bind Highest Version Manifest build-id hudson-jaxb-ri-2.2.3-3 Medium Version gradle version 2.2.3-1 Highest Version file name jaxb-impl Medium Version manifest: com.sun.xml.bind.v2.runtime Implementation-Version 2.2.3-hudson-jaxb-ri-2.2.3-3- Medium Version file version 2.2.3.1 High Version Manifest Implementation-Version 2.2.3 High
jaxb-impl-2.3.1.jarDescription:
Old JAXB Runtime module. Contains sources required for runtime processing. License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.xml.bind/jaxb-impl/2.3.1/a1a12b85ba1435b4189e065f7dafcc3fb9410d38/jaxb-impl-2.3.1.jar
MD5: adee85f9825b054eaf876b6d659fe147
SHA1: a1a12b85ba1435b4189e065f7dafcc3fb9410d38
SHA256: e6c9e0f1830fd5f7c30c25ecf5e2046c5668b06d304add89d2f027d5072297d0
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-artifactid jaxb-bundles Low Vendor jar package name sun Highest Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest bundle-symbolicname com.sun.xml.bind.jaxb-impl Medium Vendor Manifest git-revision ${buildNumber} Low Vendor gradle groupid com.sun.xml.bind Highest Vendor pom artifactid jaxb-impl Low Vendor file name jaxb-impl High Vendor jar package name bind Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom name Old JAXB Runtime High Vendor Manifest Implementation-Vendor-Id com.oracle Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor jar package name xml Highest Vendor Manifest originally-created-by Apache Maven 3.5.2 Low Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Vendor jar (hint) package name oracle Highest Vendor Manifest (hint) Implementation-Vendor sun High Vendor pom groupid sun.xml.bind Highest Product Manifest specification-title Java Architecture for XML Binding Medium Product jar package name sun Highest Product Manifest bundle-symbolicname com.sun.xml.bind.jaxb-impl Medium Product Manifest git-revision ${buildNumber} Low Product pom artifactid jaxb-impl Highest Product file name jaxb-impl High Product jar package name bind Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom name Old JAXB Runtime High Product pom parent-artifactid jaxb-bundles Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product jar package name xml Highest Product gradle artifactid jaxb-impl Highest Product Manifest Bundle-Name Old JAXB Runtime Medium Product Manifest originally-created-by Apache Maven 3.5.2 Low Product pom parent-groupid com.sun.xml.bind.mvn Medium Product Manifest Implementation-Title JAXB Implementation High Product pom groupid sun.xml.bind Highest Version pom version 2.3.1 Highest Version Manifest Bundle-Version 2.3.1 High Version Manifest build-id 2.3.1 Medium Version file version 2.3.1 High Version gradle version 2.3.1 Highest Version Manifest Implementation-Version 2.3.1 High
jaxb-impl-2.3.1.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.3.1)Description:
JAXB (JSR 222) Reference Implementation File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.xml.bind/jaxb-impl/2.3.1/a1a12b85ba1435b4189e065f7dafcc3fb9410d38/jaxb-impl-2.3.1.jar/META-INF/maven/org.glassfish.jaxb/jaxb-runtime/pom.xmlMD5: 1cb582b3df01ba8710f501a6184b83c0SHA1: 1856da23a80b9b1374d925d6dcb4a21db2144204SHA256: f8101b86157fbfc01949ffdc7c59ea71ca23b7ece25f6a79061fe01cb750ff00Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom groupid glassfish.jaxb Highest Vendor pom artifactid jaxb-runtime Low Vendor pom name JAXB Runtime High Vendor pom parent-groupid com.sun.xml.bind.mvn Medium Vendor pom parent-artifactid jaxb-runtime-parent Low Product pom groupid glassfish.jaxb Highest Product pom name JAXB Runtime High Product pom parent-groupid com.sun.xml.bind.mvn Medium Product pom artifactid jaxb-runtime Highest Product pom parent-artifactid jaxb-runtime-parent Medium Version pom version 2.3.1 Highest
jcl-over-slf4j-1.7.16.jarDescription:
JCL 1.1.1 implemented over SLF4J File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/jcl-over-slf4j/1.7.16/34e48073884704ac987d3d1a1ab9b60e62028a9/jcl-over-slf4j-1.7.16.jarMD5: aeb458dc10a619bd32ebc9d399dd64a8SHA1: 034e48073884704ac987d3d1a1ab9b60e62028a9SHA256: 764d8698e00c08dfbd8f6426ed95619cbf5473327a2a7d3b6bea6b1d987c6547Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid jcl-over-slf4j Low Vendor pom url http://www.slf4j.org Highest Vendor file name jcl-over-slf4j High Vendor pom groupid slf4j Highest Vendor pom name JCL 1.1.1 implemented over SLF4J High Vendor pom parent-groupid org.slf4j Medium Vendor gradle groupid org.slf4j Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor pom parent-artifactid slf4j-parent Low Vendor Manifest bundle-symbolicname jcl.over.slf4j Medium Product pom artifactid jcl-over-slf4j Highest Product pom url http://www.slf4j.org Medium Product pom groupid slf4j Highest Product pom name JCL 1.1.1 implemented over SLF4J High Product pom parent-artifactid slf4j-parent Medium Product gradle artifactid jcl-over-slf4j Highest Product Manifest bundle-symbolicname jcl.over.slf4j Medium Product file name jcl-over-slf4j High Product Manifest Implementation-Title jcl-over-slf4j High Product pom parent-groupid org.slf4j Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest Bundle-Name jcl-over-slf4j Medium Version Manifest Bundle-Version 1.7.16 High Version pom version 1.7.16 Highest Version gradle version 1.7.16 Highest Version file version 1.7.16 High Version Manifest Implementation-Version 1.7.16 High
jedis-3.3.0.jarDescription:
Jedis is a blazingly small and sane Redis java client. License:
MIT: http://github.com/xetorthio/jedis/raw/master/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/redis.clients/jedis/3.3.0/2ab3fdd2340ce84aa67765a8b8f5af05c45e06fd/jedis-3.3.0.jar
MD5: b3b914c4c4fed2b55b2ac88dfb0a249d
SHA1: 2ab3fdd2340ce84aa67765a8b8f5af05c45e06fd
SHA256: 1ee4dfcfdc56fe68b57f0550df180f99deaac1344c17fddfc8ccf0d8b98e832e
Referenced In Projects/Scopes: calcite:sqllineClasspath redis:compileClasspath redis:default redis:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name clients Highest Vendor jar package name jedis Highest Vendor jar package name client Highest Vendor pom name Jedis High Vendor pom groupid redis.clients Highest Vendor Manifest bundle-symbolicname redis.clients.jedis Medium Vendor gradle groupid redis.clients Highest Vendor jar package name redis Highest Vendor pom artifactid jedis Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor pom url xetorthio/jedis Highest Vendor file name jedis High Product jar package name clients Highest Product jar package name jedis Highest Product jar package name client Highest Product gradle artifactid jedis Highest Product pom name Jedis High Product pom groupid redis.clients Highest Product pom artifactid jedis Highest Product Manifest bundle-symbolicname redis.clients.jedis Medium Product jar package name redis Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom url xetorthio/jedis High Product file name jedis High Product Manifest Bundle-Name Jedis Medium Version gradle version 3.3.0 Highest Version Manifest Bundle-Version 3.3.0 High Version pom version 3.3.0 Highest Version file version 3.3.0 High
jersey-client-2.22.2.jarDescription:
Jersey core client implementation License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-client/2.22.2/1712fff037ce5a59e3d67f90fff29222989799ee/jersey-client-2.22.2.jar
MD5: 2954068011b278e9eeb81333325114b3
SHA1: 1712fff037ce5a59e3d67f90fff29222989799ee
SHA256: c2229f74968db3d0e676f680a58c1148278def927499f6f2eb1e932aba41fbd5
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-groupid org.glassfish.jersey Medium Vendor pom artifactid jersey-client Low Vendor pom groupid glassfish.jersey.core Highest Vendor pom name jersey-core-client High Vendor jar package name client Highest Vendor pom parent-artifactid project Low Vendor Manifest bundle-symbolicname org.glassfish.jersey.core.jersey-client Medium Vendor jar package name glassfish Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor gradle groupid org.glassfish.jersey.core Highest Vendor file name jersey-client High Vendor jar package name jersey Highest Product pom parent-groupid org.glassfish.jersey Medium Product gradle artifactid jersey-client Highest Product pom groupid glassfish.jersey.core Highest Product pom name jersey-core-client High Product jar package name client Highest Product Manifest bundle-symbolicname org.glassfish.jersey.core.jersey-client Medium Product jar package name glassfish Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom artifactid jersey-client Highest Product Manifest Bundle-Name jersey-core-client Medium Product pom parent-artifactid project Medium Product file name jersey-client High Product jar package name jersey Highest Version file version 2.22.2 High Version gradle version 2.22.2 Highest Version Manifest Bundle-Version 2.22.2 High Version pom version 2.22.2 Highest
jersey-common-2.22.2.jarDescription:
Jersey core common packages License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-common/2.22.2/1209b89878b60ce7d49afadeff7522d2fde0e217/jersey-common-2.22.2.jar
MD5: d855b5f16119a933768c13690c099375
SHA1: 1209b89878b60ce7d49afadeff7522d2fde0e217
SHA256: 33c51bda7fe94c27056af05c6b6bb1a0c2968b5bcf09b4c098ccbe953231186d
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-groupid org.glassfish.jersey Medium Vendor file name jersey-common High Vendor pom artifactid jersey-common Low Vendor pom groupid glassfish.jersey.core Highest Vendor pom parent-artifactid project Low Vendor Manifest bundle-symbolicname org.glassfish.jersey.core.jersey-common Medium Vendor pom name jersey-core-common High Vendor gradle groupid org.glassfish.jersey.core Highest Vendor jar package name jersey Highest Vendor jar package name glassfish Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Product pom parent-groupid org.glassfish.jersey Medium Product file name jersey-common High Product gradle artifactid jersey-common Highest Product pom groupid glassfish.jersey.core Highest Product Manifest bundle-symbolicname org.glassfish.jersey.core.jersey-common Medium Product pom name jersey-core-common High Product jar package name glassfish Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom artifactid jersey-common Highest Product Manifest Bundle-Name jersey-core-common Medium Product pom parent-artifactid project Medium Product jar package name jersey Highest Version file version 2.22.2 High Version gradle version 2.22.2 Highest Version Manifest Bundle-Version 2.22.2 High Version pom version 2.22.2 Highest
jersey-container-servlet-2.22.2.jarDescription:
Jersey core Servlet 3.x implementation License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.containers/jersey-container-servlet/2.22.2/d90487b9809f822af7731abb8896a2183e7c4a0c/jersey-container-servlet-2.22.2.jar
MD5: b2c2437fc6bd593cffdc21fca596eb8f
SHA1: d90487b9809f822af7731abb8896a2183e7c4a0c
SHA256: 24567da42f73047d6f302b1bcafc552e8fddf6219f07cc72774eaac4a56d57e7
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jersey-container-servlet High Vendor jar package name servlet Highest Vendor gradle groupid org.glassfish.jersey.containers Highest Vendor pom parent-artifactid project Low Vendor Manifest bundle-symbolicname org.glassfish.jersey.containers.jersey-container-servlet Medium Vendor jar package name glassfish Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom name jersey-container-servlet High Vendor pom groupid glassfish.jersey.containers Highest Vendor pom parent-groupid org.glassfish.jersey.containers Medium Vendor pom artifactid jersey-container-servlet Low Vendor jar package name jersey Highest Product gradle artifactid jersey-container-servlet Highest Product file name jersey-container-servlet High Product jar package name servlet Highest Product Manifest bundle-symbolicname org.glassfish.jersey.containers.jersey-container-servlet Medium Product jar package name glassfish Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom name jersey-container-servlet High Product pom groupid glassfish.jersey.containers Highest Product pom parent-artifactid project Medium Product pom artifactid jersey-container-servlet Highest Product pom parent-groupid org.glassfish.jersey.containers Medium Product Manifest Bundle-Name jersey-container-servlet Medium Product jar package name jersey Highest Version file version 2.22.2 High Version gradle version 2.22.2 Highest Version Manifest Bundle-Version 2.22.2 High Version pom version 2.22.2 Highest
jersey-container-servlet-core-2.22.2.jarDescription:
Jersey core Servlet 2.x implementation License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.containers/jersey-container-servlet-core/2.22.2/212c534c5b030594ccf5c4b929e8f7cbf26eb1ba/jersey-container-servlet-core-2.22.2.jar
MD5: a4adb948604d7908ba9e207d3746c171
SHA1: 212c534c5b030594ccf5c4b929e8f7cbf26eb1ba
SHA256: 7d5ef749aeafd22f25bf06b479be92201b34e8aa8e9ad4dbee69bbcf4dc1ce07
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jersey-container-servlet-core High Vendor jar package name servlet Highest Vendor gradle groupid org.glassfish.jersey.containers Highest Vendor pom artifactid jersey-container-servlet-core Low Vendor pom parent-artifactid project Low Vendor Manifest bundle-symbolicname org.glassfish.jersey.containers.jersey-container-servlet-core Medium Vendor jar package name glassfish Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom groupid glassfish.jersey.containers Highest Vendor pom name jersey-container-servlet-core High Vendor pom parent-groupid org.glassfish.jersey.containers Medium Vendor jar package name jersey Highest Product file name jersey-container-servlet-core High Product jar package name servlet Highest Product gradle artifactid jersey-container-servlet-core Highest Product Manifest bundle-symbolicname org.glassfish.jersey.containers.jersey-container-servlet-core Medium Product jar package name glassfish Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom artifactid jersey-container-servlet-core Highest Product pom groupid glassfish.jersey.containers Highest Product pom name jersey-container-servlet-core High Product Manifest Bundle-Name jersey-container-servlet-core Medium Product pom parent-artifactid project Medium Product pom parent-groupid org.glassfish.jersey.containers Medium Product jar package name jersey Highest Version file version 2.22.2 High Version gradle version 2.22.2 Highest Version Manifest Bundle-Version 2.22.2 High Version pom version 2.22.2 Highest
jersey-core-1.9.jarDescription:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.jersey/jersey-core/1.9/8341846f18187013bb9e27e46b7ee00a6395daf4/jersey-core-1.9.jar
MD5: 73d196595f5e410a37c0a4337350ceb7
SHA1: 8341846f18187013bb9e27e46b7ee00a6395daf4
SHA256: 2c6d0ec88fc8c36cb41637d9c00d0698c22cb6b6a137fa526ef782e00d2265bc
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath piglet:default Evidence Type Source Name Value Confidence Vendor jar package name sun Highest Vendor pom parent-artifactid jersey-project Low Vendor gradle groupid com.sun.jersey Highest Vendor pom parent-groupid com.sun.jersey Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor pom groupid sun.jersey Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor jar package name core Highest Vendor pom name jersey-core High Vendor Manifest bundle-symbolicname com.sun.jersey.jersey-core Medium Vendor Manifest Implementation-Vendor-Id com.sun.jersey Medium Vendor pom artifactid jersey-core Low Vendor jar (hint) package name oracle Highest Vendor jar package name jersey Highest Vendor file name jersey-core High Product Manifest Implementation-Title jersey-core High Product jar package name sun Highest Product gradle artifactid jersey-core Highest Product pom parent-groupid com.sun.jersey Medium Product pom groupid sun.jersey Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product jar package name core Highest Product pom name jersey-core High Product pom artifactid jersey-core Highest Product pom parent-artifactid jersey-project Medium Product Manifest bundle-symbolicname com.sun.jersey.jersey-core Medium Product Manifest Bundle-Name jersey-core Medium Product jar package name jersey Highest Product file name jersey-core High Version gradle version 1.9 Highest Version file version 1.9 High Version Manifest Bundle-Version 1.9 High Version pom version 1.9 Highest Version Manifest Implementation-Version 1.9 High
jersey-guava-2.22.2.jarDescription:
Jersey Guava Repackaged License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.bundles.repackaged/jersey-guava/2.22.2/7422c693c89640c9685dfa99dbef2da745aa4617/jersey-guava-2.22.2.jar
MD5: d5da552c520f65980a21e9703f30453c
SHA1: 7422c693c89640c9685dfa99dbef2da745aa4617
SHA256: 0fdcc75d025aff4032d3b8be909b5a082913b27d953ad82dd5df2ad29aea636b
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.glassfish.jersey.bundles.repackaged Highest Vendor Manifest bundle-symbolicname org.glassfish.jersey.bundles.repackaged.jersey-guava Medium Vendor pom artifactid jersey-guava Low Vendor file name jersey-guava High Vendor jar package name repackaged Highest Vendor pom parent-artifactid project Low Vendor pom name jersey-repackaged-guava High Vendor jar package name jersey Highest Vendor pom groupid glassfish.jersey.bundles.repackaged Highest Vendor pom parent-groupid org.glassfish.jersey.bundles.repackaged Medium Vendor Manifest bundle-docurl http://www.oracle.com/ Low Product Manifest bundle-symbolicname org.glassfish.jersey.bundles.repackaged.jersey-guava Medium Product Manifest Bundle-Name jersey-repackaged-guava Medium Product jar package name repackaged Highest Product pom name jersey-repackaged-guava High Product jar package name com Highest Product pom parent-groupid org.glassfish.jersey.bundles.repackaged Medium Product Manifest bundle-docurl http://www.oracle.com/ Low Product file name jersey-guava High Product pom parent-artifactid project Medium Product pom artifactid jersey-guava Highest Product jar package name jersey Highest Product pom groupid glassfish.jersey.bundles.repackaged Highest Product gradle artifactid jersey-guava Highest Version file version 2.22.2 High Version gradle version 2.22.2 Highest Version Manifest Bundle-Version 2.22.2 High Version pom version 2.22.2 Highest
jersey-json-1.9.jarDescription:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.jersey/jersey-json/1.9/1aa73e1896bcc7013fed247157d7f676226eb432/jersey-json-1.9.jar
MD5: 17ca6b0d49ed8db159b7827b6defa6b6
SHA1: 1aa73e1896bcc7013fed247157d7f676226eb432
SHA256: cc5d535f43cef0d1c467240961aae35801a837ab010319e741b2c7a6658f3fd6
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath piglet:default Evidence Type Source Name Value Confidence Vendor jar package name sun Highest Vendor pom parent-artifactid jersey-project Low Vendor file name jersey-json High Vendor gradle groupid com.sun.jersey Highest Vendor pom parent-groupid com.sun.jersey Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor pom artifactid jersey-json Low Vendor pom groupid sun.jersey Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom name jersey-json High Vendor Manifest Implementation-Vendor-Id com.sun.jersey Medium Vendor jar (hint) package name oracle Highest Vendor Manifest bundle-symbolicname com.sun.jersey.jersey-json Medium Vendor jar package name jersey Highest Vendor jar package name json Highest Product gradle artifactid jersey-json Highest Product jar package name sun Highest Product file name jersey-json High Product Manifest Implementation-Title jersey-json High Product pom parent-groupid com.sun.jersey Medium Product pom groupid sun.jersey Highest Product Manifest Bundle-Name jersey-json Medium Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom name jersey-json High Product pom artifactid jersey-json Highest Product pom parent-artifactid jersey-project Medium Product Manifest bundle-symbolicname com.sun.jersey.jersey-json Medium Product jar package name jersey Highest Product jar package name json Highest Version gradle version 1.9 Highest Version file version 1.9 High Version Manifest Bundle-Version 1.9 High Version pom version 1.9 Highest Version Manifest Implementation-Version 1.9 High
jersey-media-jaxb-2.22.2.jarDescription:
JAX-RS features based upon JAX-B.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.media/jersey-media-jaxb/2.22.2/7a9adf97790a92d09a1f2c027dbd34af15ffee04/jersey-media-jaxb-2.22.2.jar
MD5: 8c868cadfd83b1c7c27a3d7455733293
SHA1: 7a9adf97790a92d09a1f2c027dbd34af15ffee04
SHA256: 0a99789dd4f2f24451f7cf423d5682dbef39a34609555f455b73546967b9c225
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jersey-media-jaxb High Vendor Manifest bundle-symbolicname org.glassfish.jersey.media.jersey-media-jaxb Medium Vendor pom parent-artifactid project Low Vendor gradle groupid org.glassfish.jersey.media Highest Vendor pom artifactid jersey-media-jaxb Low Vendor jar package name glassfish Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom name jersey-media-jaxb High Vendor pom groupid glassfish.jersey.media Highest Vendor jar package name jaxb Highest Vendor jar package name jersey Highest Vendor pom parent-groupid org.glassfish.jersey.media Medium Product file name jersey-media-jaxb High Product Manifest bundle-symbolicname org.glassfish.jersey.media.jersey-media-jaxb Medium Product jar package name glassfish Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product Manifest Bundle-Name jersey-media-jaxb Medium Product pom name jersey-media-jaxb High Product pom parent-artifactid project Medium Product pom groupid glassfish.jersey.media Highest Product jar package name jaxb Highest Product pom artifactid jersey-media-jaxb Highest Product jar package name jersey Highest Product pom parent-groupid org.glassfish.jersey.media Medium Product gradle artifactid jersey-media-jaxb Highest Version file version 2.22.2 High Version gradle version 2.22.2 Highest Version Manifest Bundle-Version 2.22.2 High Version pom version 2.22.2 Highest
jersey-server-1.9.jarDescription:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services. License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.sun.jersey/jersey-server/1.9/3a6ea7cc5e15c824953f9f3ece2201b634d90d18/jersey-server-1.9.jar
MD5: 0c98f6cca5df8197b310a0d1d89bb34a
SHA1: 3a6ea7cc5e15c824953f9f3ece2201b634d90d18
SHA256: 3ded91b198077561bd51f6c0442c9cd70b754d8b31b61afaf448bda9d01848f0
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath piglet:default Evidence Type Source Name Value Confidence Vendor jar package name sun Highest Vendor pom parent-artifactid jersey-project Low Vendor Manifest bundle-symbolicname com.sun.jersey.jersey-server Medium Vendor gradle groupid com.sun.jersey Highest Vendor pom parent-groupid com.sun.jersey Medium Vendor Manifest Implementation-Vendor Oracle Corporation High Vendor pom name jersey-server High Vendor pom groupid sun.jersey Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom artifactid jersey-server Low Vendor Manifest Implementation-Vendor-Id com.sun.jersey Medium Vendor jar package name server Highest Vendor jar (hint) package name oracle Highest Vendor jar package name jersey Highest Vendor file name jersey-server High Product Manifest Bundle-Name jersey-server Medium Product jar package name sun Highest Product Manifest bundle-symbolicname com.sun.jersey.jersey-server Medium Product pom parent-groupid com.sun.jersey Medium Product pom artifactid jersey-server Highest Product pom name jersey-server High Product pom groupid sun.jersey Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product gradle artifactid jersey-server Highest Product pom parent-artifactid jersey-project Medium Product Manifest Implementation-Title jersey-server High Product jar package name server Highest Product jar package name jersey Highest Product file name jersey-server High Version gradle version 1.9 Highest Version file version 1.9 High Version Manifest Bundle-Version 1.9 High Version pom version 1.9 Highest Version Manifest Implementation-Version 1.9 High
jersey-server-2.22.2.jarDescription:
Jersey core server implementation License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.jersey.core/jersey-server/2.22.2/5ede3e5f98f8b14d31d1d0fffe9908df2bd41c0f/jersey-server-2.22.2.jar
MD5: 62d36194c28af7a49966554af421488f
SHA1: 5ede3e5f98f8b14d31d1d0fffe9908df2bd41c0f
SHA256: 8f8649b568d068f053362fa3def56206166dfceb3baa74e9f19eff6f8f8d9f1f
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name org Highest Vendor pom parent-groupid org.glassfish.jersey Medium Vendor pom groupid glassfish.jersey.core Highest Vendor pom parent-artifactid project Low Vendor Manifest bundle-symbolicname org.glassfish.jersey.core.jersey-server Medium Vendor jar package name glassfish Highest Vendor Manifest bundle-docurl http://www.oracle.com/ Low Vendor pom artifactid jersey-server Low Vendor pom name jersey-core-server High Vendor jar package name server Highest Vendor gradle groupid org.glassfish.jersey.core Highest Vendor jar package name jersey Highest Vendor file name jersey-server High Product jar package name org Highest Product pom parent-groupid org.glassfish.jersey Medium Product pom groupid glassfish.jersey.core Highest Product pom artifactid jersey-server Highest Product Manifest Bundle-Name jersey-core-server Medium Product Manifest bundle-symbolicname org.glassfish.jersey.core.jersey-server Medium Product jar package name glassfish Highest Product Manifest bundle-docurl http://www.oracle.com/ Low Product pom name jersey-core-server High Product gradle artifactid jersey-server Highest Product pom parent-artifactid project Medium Product jar package name server Highest Product jar package name jersey Highest Product file name jersey-server High Version file version 2.22.2 High Version gradle version 2.22.2 Highest Version Manifest Bundle-Version 2.22.2 High Version pom version 2.22.2 Highest
jets3t-0.7.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jets3t/jets3t/0.7.1/2d10b62398360c674b4039ea4f2d1c697f46f6cd/jets3t-0.7.1.jarMD5: f170ab1887bf86b5eda9f4f662b5c3adSHA1: 2d10b62398360c674b4039ea4f2d1c697f46f6cdSHA256: cf3c047571471682a7f59df54808a7143d78c6b8f6826809ee95a2f9637b7e60Referenced In Projects/Scopes:
pig:runtimeClasspath pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name jets3t Low Vendor jar package name service Low Vendor file name jets3t High Vendor gradle groupid net.java.dev.jets3t Highest Product jar package name service Low Product file name jets3t High Product gradle artifactid jets3t Highest Version gradle version 0.7.1 Highest Version file name jets3t Medium Version file version 0.7.1 High
jets3t-0.9.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jets3t/jets3t/0.9.0/792bc96ee7e57b89f472aa0cb5a31015b9f59c96/jets3t-0.9.0.jarMD5: 22559a7c686b19534707228decc3c6d7SHA1: 792bc96ee7e57b89f472aa0cb5a31015b9f59c96SHA256: e89893fc754b252af717d7d14accda946f7dfcfc1e293fd3e04725163d661bd7Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor jar package name jets3t Low Vendor jar package name service Low Vendor file name jets3t High Vendor gradle groupid net.java.dev.jets3t Highest Product jar package name service Low Product file name jets3t High Product gradle artifactid jets3t Highest Version file version 0.9.0 High Version file name jets3t Medium Version gradle version 0.9.0 Highest
jets3t-0.9.3.jarDescription:
Toolkit for Amazon S3, Amazon CloudFront, and Google Storage Service. License:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jets3t/jets3t/0.9.3/65fbf0c71718078fc7ac1facdbf3cf53afa64abd/jets3t-0.9.3.jar
MD5: e66e1e5756a2e2cb4fc994d78c1340bc
SHA1: 65fbf0c71718078fc7ac1facdbf3cf53afa64abd
SHA256: 39b1bef7935ad78a12a444a179f728064d478580e0e82f6301ddbe15ad07fbd9
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id net.java.dev.jets3t Medium Vendor pom artifactid jets3t Low Vendor pom url https://bitbucket.org/jmurty/jets3t/overview Highest Vendor jar package name jets3t Highest Vendor jar package name service Highest Vendor file name jets3t High Vendor jar package name cloudfront Highest Vendor gradle groupid net.java.dev.jets3t Highest Vendor pom name JetS3t High Vendor jar package name s3 Highest Vendor pom groupid net.java.dev.jets3t Highest Product pom artifactid jets3t Highest Product jar package name jets3t Highest Product Manifest specification-title JetS3t Medium Product jar package name service Highest Product Manifest Implementation-Title JetS3t High Product jar package name s3 Highest Product pom url https://bitbucket.org/jmurty/jets3t/overview Medium Product file name jets3t High Product jar package name cloudfront Highest Product pom name JetS3t High Product pom groupid net.java.dev.jets3t Highest Product gradle artifactid jets3t Highest Version pom version 0.9.3 Highest Version Manifest Implementation-Version 0.9.3 High Version gradle version 0.9.3 Highest Version file version 0.9.3 High
jettison-1.1.jarDescription:
A StAX implementation for JSON. File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.codehaus.jettison/jettison/1.1/1a01a2a1218fcf9faa2cc2a6ced025bdea687262/jettison-1.1.jarMD5: fc80e0aabd516c54739262c3d618303aSHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262SHA256: 377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Jettison High Vendor file name jettison High Vendor Manifest bundle-symbolicname org.codehaus.jettison.jettison Medium Vendor jar package name codehaus Highest Vendor pom artifactid jettison Low Vendor jar package name jettison Highest Vendor jar package name json Highest Vendor pom groupid codehaus.jettison Highest Vendor gradle groupid org.codehaus.jettison Highest Product gradle artifactid jettison Highest Product pom name Jettison High Product file name jettison High Product Manifest Implementation-Title Jettison High Product pom artifactid jettison Highest Product Manifest bundle-symbolicname org.codehaus.jettison.jettison Medium Product jar package name codehaus Highest Product Manifest Bundle-Name jettison Medium Product jar package name jettison Highest Product jar package name json Highest Product pom groupid codehaus.jettison Highest Version file version 1.1 High Version Manifest Bundle-Version 1.1 High Version pom version 1.1 Highest Version Manifest Implementation-Version 1.1 High Version gradle version 1.1 Highest
jetty-6.1.26.jarDescription:
Jetty server core License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jetty/6.1.26/2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0/jetty-6.1.26.jar
MD5: 12b65438bbaf225102d0396c21236052
SHA1: 2f546e289fddd5b1fab1d4199fbb6e9ef43ee4b0
SHA256: 21091d3a9c1349f640fdc421504a604c040ed89087ecc12afbe32353326ed4e5
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest url http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty Low Vendor file name jetty High Vendor pom name Jetty Server High Vendor jar package name mortbay Highest Vendor pom artifactid jetty Low Vendor pom parent-artifactid project Low Vendor Manifest mode development Low Vendor pom groupid mortbay.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Vendor Manifest originally-created-by 1.6.0_22 (Sun Microsystems Inc.) Low Vendor pom parent-groupid org.mortbay.jetty Medium Vendor jar package name jetty Highest Vendor Manifest bundle-docurl http://jetty.mortbay.org Low Vendor gradle groupid org.mortbay.jetty Highest Vendor Manifest bundle-symbolicname org.mortbay.jetty.server Medium Vendor jar package name server Highest Product Manifest url http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty Low Product Manifest Bundle-Name Jetty Server Medium Product file name jetty High Product pom name Jetty Server High Product jar package name mortbay Highest Product Manifest mode development Low Product pom groupid mortbay.jetty Highest Product gradle artifactid jetty Highest Product Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Product Manifest originally-created-by 1.6.0_22 (Sun Microsystems Inc.) Low Product pom parent-groupid org.mortbay.jetty Medium Product pom artifactid jetty Highest Product pom parent-artifactid project Medium Product jar package name jetty Highest Product Manifest bundle-docurl http://jetty.mortbay.org Low Product jar package name server Highest Product Manifest bundle-symbolicname org.mortbay.jetty.server Medium Version gradle version 6.1.26 Highest Version Manifest implementation-version 6.1.26 High Version Manifest Bundle-Version 6.1.26 High Version pom version 6.1.26 Highest Version file version 6.1.26 High
Published Vulnerabilities CVE-2009-1523 suppress
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2011-4461 suppress
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2017-7656 (OSSINDEX) suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:* CVE-2017-7657 (OSSINDEX) suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:* CVE-2017-7658 (OSSINDEX) suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:* CVE-2017-9735 (OSSINDEX) suppress
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:* CVE-2019-10241 (OSSINDEX) suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:* CVE-2019-10247 (OSSINDEX) suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:* CVE-2020-27216 (OSSINDEX) suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.mortbay.jetty:jetty:6.1.26:*:*:*:*:*:*:* jetty-http-9.4.15.v20190215.jarDescription:
Jetty module for Jetty :: Http Utility License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.15.v20190215/b6ccda5ec5580914ff2fcbd0b9a7e3327e11ba01/jetty-http-9.4.15.v20190215.jar
MD5: 47751eaffe13cc81aca359adeee6b489
SHA1: b6ccda5ec5580914ff2fcbd0b9a7e3327e11ba01
SHA256: c95711e9759a2bfa43ad5e7eadbbbf86152acba065e38121181bc41596647f9a
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath geode:default spark:default spark:compileClasspath geode:runtimeClasspath plus:default plus:runtimeClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor gradle groupid org.eclipse.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor pom url http://www.eclipse.org/jetty Highest Vendor Manifest bundle-docurl http://www.eclipse.org/jetty Low Vendor pom name Jetty :: Http Utility High Vendor jar package name eclipse Highest Vendor Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Vendor Manifest automatic-module-name org.eclipse.jetty.http Medium Vendor pom parent-artifactid jetty-project Low Vendor Manifest provide-capability osgi.serviceloader;osgi.serviceloader="org.eclipse.jetty.http.HttpFieldPreEncoder" Low Vendor Manifest Implementation-Vendor Eclipse Jetty Project High Vendor Manifest require-capability osgi.serviceloader;filter:="(osgi.serviceloader=org.eclipse.jetty.http.HttpFieldPreEncoder)";resolution:=optional;cardinality:=multiple,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.processor)";resolution:=optional,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)";resolution:=optional,osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor file name jetty-http High Vendor jar package name jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor jar package name http Highest Vendor pom groupid eclipse.jetty Highest Vendor Manifest bundle-symbolicname org.eclipse.jetty.http Medium Vendor pom artifactid jetty-http Low Vendor Manifest url http://www.eclipse.org/jetty Low Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product Manifest bundle-docurl http://www.eclipse.org/jetty Low Product pom artifactid jetty-http Highest Product pom name Jetty :: Http Utility High Product jar package name eclipse Highest Product Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Product Manifest automatic-module-name org.eclipse.jetty.http Medium Product pom url http://www.eclipse.org/jetty Medium Product gradle artifactid jetty-http Highest Product Manifest provide-capability osgi.serviceloader;osgi.serviceloader="org.eclipse.jetty.http.HttpFieldPreEncoder" Low Product jar package name httpfieldpreencoder Highest Product Manifest require-capability osgi.serviceloader;filter:="(osgi.serviceloader=org.eclipse.jetty.http.HttpFieldPreEncoder)";resolution:=optional;cardinality:=multiple,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.processor)";resolution:=optional,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.registrar)";resolution:=optional,osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product file name jetty-http High Product jar package name jetty Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product jar package name http Highest Product pom groupid eclipse.jetty Highest Product Manifest bundle-symbolicname org.eclipse.jetty.http Medium Product Manifest Bundle-Name Jetty :: Http Utility Medium Product Manifest url http://www.eclipse.org/jetty Low Version file version 9.4.15.v20190215 High Version pom version 9.4.15.v20190215 Highest Version gradle version 9.4.15.v20190215 Highest Version Manifest Implementation-Version 9.4.15.v20190215 High Version Manifest Bundle-Version 9.4.15.v20190215 High
Published Vulnerabilities CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-27218 suppress
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2020-27223 suppress
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
jetty-io-9.4.15.v20190215.jarDescription:
Jetty module for Jetty :: IO Utility License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.4.15.v20190215/e9f3cb0e56ff0bf15c42fd977d220e494e66c61c/jetty-io-9.4.15.v20190215.jar
MD5: 7fb59c495da438962443da48a2f9b958
SHA1: e9f3cb0e56ff0bf15c42fd977d220e494e66c61c
SHA256: 6f40f4162739ebf1c89a96165f31598bae4101b264098017af563853af8a662a
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath geode:default spark:default spark:compileClasspath geode:runtimeClasspath plus:default plus:runtimeClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor gradle groupid org.eclipse.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom name Jetty :: IO Utility High Vendor Manifest bundle-docurl http://www.eclipse.org/jetty Low Vendor jar package name eclipse Highest Vendor Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Vendor Manifest bundle-symbolicname org.eclipse.jetty.io Medium Vendor pom parent-artifactid jetty-project Low Vendor Manifest automatic-module-name org.eclipse.jetty.io Medium Vendor Manifest Implementation-Vendor Eclipse Jetty Project High Vendor jar package name jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid eclipse.jetty Highest Vendor jar package name io Highest Vendor pom artifactid jetty-io Low Vendor file name jetty-io High Vendor Manifest url http://www.eclipse.org/jetty Low Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product Manifest Bundle-Name Jetty :: IO Utility Medium Product pom name Jetty :: IO Utility High Product Manifest bundle-docurl http://www.eclipse.org/jetty Low Product jar package name eclipse Highest Product Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Product Manifest bundle-symbolicname org.eclipse.jetty.io Medium Product pom url http://www.eclipse.org/jetty Medium Product Manifest automatic-module-name org.eclipse.jetty.io Medium Product gradle artifactid jetty-io Highest Product jar package name jetty Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom artifactid jetty-io Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid eclipse.jetty Highest Product jar package name io Highest Product file name jetty-io High Product Manifest url http://www.eclipse.org/jetty Low Version file version 9.4.15.v20190215 High Version pom version 9.4.15.v20190215 Highest Version gradle version 9.4.15.v20190215 Highest Version Manifest Implementation-Version 9.4.15.v20190215 High Version Manifest Bundle-Version 9.4.15.v20190215 High
Published Vulnerabilities CVE-2021-28165 (OSSINDEX) suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.eclipse.jetty:jetty-io:9.4.15.v20190215:*:*:*:*:*:*:* jetty-security-9.4.15.v20190215.jarDescription:
Jetty security infrastructure License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-security/9.4.15.v20190215/bfb074a843d7961111143a193c846040bd089365/jetty-security-9.4.15.v20190215.jar
MD5: 791330b0b59523faf4730911c7f66bb5
SHA1: bfb074a843d7961111143a193c846040bd089365
SHA256: 2ae35c6be04d3f47d82fc75e337f6c4cf43ae6e04046cc8b9d6b4b2bb679f507
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest bundle-symbolicname org.eclipse.jetty.security Medium Vendor gradle groupid org.eclipse.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor Manifest automatic-module-name org.eclipse.jetty.security Medium Vendor pom url http://www.eclipse.org/jetty Highest Vendor Manifest bundle-docurl http://www.eclipse.org/jetty Low Vendor pom name Jetty :: Security High Vendor jar package name eclipse Highest Vendor Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Vendor pom artifactid jetty-security Low Vendor pom parent-artifactid jetty-project Low Vendor jar package name security Highest Vendor Manifest Implementation-Vendor Eclipse Jetty Project High Vendor file name jetty-security High Vendor jar package name jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid eclipse.jetty Highest Vendor Manifest url http://www.eclipse.org/jetty Low Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product Manifest bundle-symbolicname org.eclipse.jetty.security Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product Manifest automatic-module-name org.eclipse.jetty.security Medium Product Manifest Bundle-Name Jetty :: Security Medium Product Manifest bundle-docurl http://www.eclipse.org/jetty Low Product pom name Jetty :: Security High Product jar package name eclipse Highest Product Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Product pom url http://www.eclipse.org/jetty Medium Product jar package name security Highest Product file name jetty-security High Product jar package name jetty Highest Product pom artifactid jetty-security Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid eclipse.jetty Highest Product gradle artifactid jetty-security Highest Product Manifest url http://www.eclipse.org/jetty Low Version file version 9.4.15.v20190215 High Version pom version 9.4.15.v20190215 Highest Version gradle version 9.4.15.v20190215 Highest Version Manifest Implementation-Version 9.4.15.v20190215 High Version Manifest Bundle-Version 9.4.15.v20190215 High
Published Vulnerabilities CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-27218 suppress
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2020-27223 suppress
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
jetty-server-9.4.15.v20190215.jarDescription:
The core jetty server artifact. License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.15.v20190215/c3c67bd8ec3fe328de9e888e2e619362905a56ab/jetty-server-9.4.15.v20190215.jar
MD5: f406bc827774665a125068cc8dab5e2a
SHA1: c3c67bd8ec3fe328de9e888e2e619362905a56ab
SHA256: 7dda78de3ba23e0c9f7599fb295d5d861fe0ada615b856ce345cf2b8f4e5975f
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath geode:default spark:default spark:compileClasspath geode:runtimeClasspath plus:default plus:runtimeClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor Manifest automatic-module-name org.eclipse.jetty.server Medium Vendor gradle groupid org.eclipse.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor pom url http://www.eclipse.org/jetty Highest Vendor Manifest bundle-docurl http://www.eclipse.org/jetty Low Vendor jar package name eclipse Highest Vendor Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Vendor pom parent-artifactid jetty-project Low Vendor pom name Jetty :: Server Core High Vendor Manifest Implementation-Vendor Eclipse Jetty Project High Vendor jar package name jetty Highest Vendor jar package name server Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom groupid eclipse.jetty Highest Vendor file name jetty-server High Vendor Manifest bundle-symbolicname org.eclipse.jetty.server Medium Vendor Manifest url http://www.eclipse.org/jetty Low Vendor pom artifactid jetty-server Low Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product pom artifactid jetty-server Highest Product Manifest automatic-module-name org.eclipse.jetty.server Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product Manifest bundle-docurl http://www.eclipse.org/jetty Low Product jar package name eclipse Highest Product Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Product gradle artifactid jetty-server Highest Product pom url http://www.eclipse.org/jetty Medium Product pom name Jetty :: Server Core High Product jar package name jetty Highest Product pom parent-artifactid jetty-project Medium Product jar package name server Highest Product Manifest Bundle-Name Jetty :: Server Core Medium Product pom parent-groupid org.eclipse.jetty Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid eclipse.jetty Highest Product file name jetty-server High Product Manifest bundle-symbolicname org.eclipse.jetty.server Medium Product Manifest url http://www.eclipse.org/jetty Low Version file version 9.4.15.v20190215 High Version pom version 9.4.15.v20190215 Highest Version gradle version 9.4.15.v20190215 Highest Version Manifest Implementation-Version 9.4.15.v20190215 High Version Manifest Bundle-Version 9.4.15.v20190215 High
Published Vulnerabilities CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-27218 suppress
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2020-27223 suppress
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
jetty-sslengine-6.1.26.jarDescription:
Parent pom for Jetty at Codehaus License:
Apache License Version 2: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jetty-sslengine/6.1.26/60367999cee49a3b09fa86bdcb52310b6c896014/jetty-sslengine-6.1.26.jar
MD5: d3bea45d6939e57fccf450a914fe4e1a
SHA1: 60367999cee49a3b09fa86bdcb52310b6c896014
SHA256: 9c5f6bb168ba01b95d250b57f061c8094e1ce9c89ae4e773492bacb17192ea87
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest url http://jetty.mortbay.org Low Vendor jar package name mortbay Highest Vendor pom parent-artifactid project Low Vendor Manifest bundle-symbolicname org.mortbay.jetty.security Medium Vendor Manifest mode development Low Vendor pom groupid mortbay.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Vendor Manifest originally-created-by 1.6.0_22 (Sun Microsystems Inc.) Low Vendor jar package name security Highest Vendor pom parent-groupid org.mortbay.jetty Medium Vendor pom url http://jetty.mortbay.org Highest Vendor pom artifactid jetty-sslengine Low Vendor jar package name jetty Highest Vendor Manifest bundle-docurl http://jetty.mortbay.org Low Vendor gradle groupid org.mortbay.jetty Highest Vendor file name jetty-sslengine High Vendor pom name Jetty SSLEngine High Product pom artifactid jetty-sslengine Highest Product Manifest url http://jetty.mortbay.org Low Product jar package name mortbay Highest Product Manifest bundle-symbolicname org.mortbay.jetty.security Medium Product Manifest mode development Low Product pom groupid mortbay.jetty Highest Product Manifest Bundle-Name Jetty SSLEngine Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Product Manifest originally-created-by 1.6.0_22 (Sun Microsystems Inc.) Low Product jar package name security Highest Product pom parent-groupid org.mortbay.jetty Medium Product pom url http://jetty.mortbay.org Medium Product pom parent-artifactid project Medium Product gradle artifactid jetty-sslengine Highest Product jar package name jetty Highest Product Manifest bundle-docurl http://jetty.mortbay.org Low Product file name jetty-sslengine High Product pom name Jetty SSLEngine High Version gradle version 6.1.26 Highest Version Manifest implementation-version 6.1.26 High Version Manifest Bundle-Version 6.1.26 High Version pom version 6.1.26 Highest Version file version 6.1.26 High
Published Vulnerabilities CVE-2009-1523 suppress
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2011-4461 suppress
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
jetty-util-6.1.26.jarDescription:
Utility classes for Jetty License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jetty-util/6.1.26/e5642fe0399814e1687d55a3862aa5a3417226a9/jetty-util-6.1.26.jar
MD5: 450fedce4f7f8ad3761577b10a664200
SHA1: e5642fe0399814e1687d55a3862aa5a3417226a9
SHA256: 9b974ce2b99f48254b76126337dc45b21226f383aaed616f59780adaf167c047
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath spark:default spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name mortbay Highest Vendor file name jetty-util High Vendor Manifest bundle-symbolicname org.mortbay.jetty.util Medium Vendor pom parent-artifactid project Low Vendor Manifest mode development Low Vendor pom groupid mortbay.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Vendor Manifest originally-created-by 1.6.0_22 (Sun Microsystems Inc.) Low Vendor pom parent-groupid org.mortbay.jetty Medium Vendor pom artifactid jetty-util Low Vendor jar package name util Highest Vendor Manifest bundle-docurl http://jetty.mortbay.org Low Vendor gradle groupid org.mortbay.jetty Highest Vendor pom name Jetty Utilities High Vendor Manifest url http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty-util Low Product Manifest Bundle-Name Jetty Utilities Medium Product jar package name mortbay Highest Product file name jetty-util High Product Manifest bundle-symbolicname org.mortbay.jetty.util Medium Product Manifest mode development Low Product pom artifactid jetty-util Highest Product pom groupid mortbay.jetty Highest Product gradle artifactid jetty-util Highest Product Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Product Manifest originally-created-by 1.6.0_22 (Sun Microsystems Inc.) Low Product pom parent-groupid org.mortbay.jetty Medium Product jar package name util Highest Product pom parent-artifactid project Medium Product Manifest bundle-docurl http://jetty.mortbay.org Low Product pom name Jetty Utilities High Product Manifest url http://www.eclipse.org/jetty/jetty-parent/project/modules/jetty-util Low Version gradle version 6.1.26 Highest Version Manifest implementation-version 6.1.26 High Version Manifest Bundle-Version 6.1.26 High Version pom version 6.1.26 Highest Version file version 6.1.26 High
Published Vulnerabilities CVE-2009-1523 suppress
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2011-4461 suppress
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
jetty-util-9.4.15.v20190215.jarDescription:
Utility classes for Jetty License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.4.15.v20190215/842cb29911d32c18c9e6fa377cabfbc4685f4bb2/jetty-util-9.4.15.v20190215.jar
MD5: 986499cd8b571c3ddc229e972f260602
SHA1: 842cb29911d32c18c9e6fa377cabfbc4685f4bb2
SHA256: f3deed4141b4595971f504f6b516e7302f307032bc45403a720213e46ca87464
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath geode:default spark:default spark:compileClasspath geode:runtimeClasspath plus:default plus:runtimeClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest originally-created-by Apache Maven Bundle Plugin Low Vendor pom name Jetty :: Utilities High Vendor gradle groupid org.eclipse.jetty Highest Vendor Manifest bundle-symbolicname org.eclipse.jetty.util Medium Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Vendor pom url http://www.eclipse.org/jetty Highest Vendor file name jetty-util High Vendor Manifest bundle-docurl http://www.eclipse.org/jetty Low Vendor jar package name eclipse Highest Vendor Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Vendor pom parent-artifactid jetty-project Low Vendor Manifest automatic-module-name org.eclipse.jetty.util Medium Vendor Manifest Implementation-Vendor Eclipse Jetty Project High Vendor Manifest require-capability osgi.serviceloader;filter:="(osgi.serviceloader=org.eclipse.jetty.util.security.CredentialProvider)";resolution:=optional;cardinality:=multiple,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.processor)";resolution:=optional,osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor pom artifactid jetty-util Low Vendor jar package name util Highest Vendor jar package name jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor Manifest url http://www.eclipse.org/jetty Low Product Manifest originally-created-by Apache Maven Bundle Plugin Low Product pom name Jetty :: Utilities High Product Manifest bundle-symbolicname org.eclipse.jetty.util Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.8 Low Product file name jetty-util High Product Manifest bundle-docurl http://www.eclipse.org/jetty Low Product pom artifactid jetty-util Highest Product jar package name eclipse Highest Product Manifest bundle-copyright Copyright (c) 2008-2019 Mort Bay Consulting Pty. Ltd. Low Product Manifest Bundle-Name Jetty :: Utilities Medium Product gradle artifactid jetty-util Highest Product pom url http://www.eclipse.org/jetty Medium Product Manifest automatic-module-name org.eclipse.jetty.util Medium Product jar package name security Highest Product Manifest require-capability osgi.serviceloader;filter:="(osgi.serviceloader=org.eclipse.jetty.util.security.CredentialProvider)";resolution:=optional;cardinality:=multiple,osgi.extender;filter:="(osgi.extender=osgi.serviceloader.processor)";resolution:=optional,osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name util Highest Product jar package name jetty Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom groupid eclipse.jetty Highest Product Manifest url http://www.eclipse.org/jetty Low Version file version 9.4.15.v20190215 High Version pom version 9.4.15.v20190215 Highest Version gradle version 9.4.15.v20190215 Highest Version Manifest Implementation-Version 9.4.15.v20190215 High Version Manifest Bundle-Version 9.4.15.v20190215 High
Published Vulnerabilities CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-27218 suppress
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.8) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:P CVSSv3:
Base Score: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2020-27223 suppress
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
jffi-1.2.16-native.jarDescription:
Java Foreign Function Interface - Native Libraries License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/3c1f0edf2df2c6e0419d60d0baa59659211624cb/jffi-1.2.16-native.jar
MD5: 5750b1111e4fdb7445bc08b5e74a2fd8
SHA1: 3c1f0edf2df2c6e0419d60d0baa59659211624cb
SHA256: ef78953e3dbf47fab94469190bc2a6d601566a21d4651f73c822bad1c02b64fe
Referenced In Projects/Scopes: calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor gradle groupid com.github.jnr Highest Vendor file name jffi High Vendor Manifest bundle-symbolicname com.github.jnr.jffi.native Medium Product Manifest Bundle-Name jffi Medium Product gradle artifactid jffi Highest Product file name jffi High Product Manifest bundle-symbolicname com.github.jnr.jffi.native Medium Version gradle version 1.2.16 Highest Version Manifest Bundle-Version 1.2.16 High Version file version 1.2.16 High Version file name jffi Medium
jffi-1.2.16-native.jar: jffi-1.2.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/3c1f0edf2df2c6e0419d60d0baa59659211624cb/jffi-1.2.16-native.jar/jni/x86_64-Windows/jffi-1.2.dllMD5: 5d80b61c1f9e31860c17b3a410948e7eSHA1: 5ca292116336ee4ceed00d10e756afea580e62cfSHA256: 58398ba5cda1b7cb89ad4e03dd4a658006956f81acfef4efb4e7dd934e2733efReferenced In Projects/Scopes:
calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor file name jffi High Product file name jffi High Version file version 1.2 High Version file name jffi Medium
jffi-1.2.16-native.jar: jffi-1.2.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/3c1f0edf2df2c6e0419d60d0baa59659211624cb/jffi-1.2.16-native.jar/jni/i386-Windows/jffi-1.2.dllMD5: 841e60814ed6b2971a47b267aef1c58aSHA1: 07d30c6407fefad8df4b6afc4d85f83e547975caSHA256: d63b0ec9a7cc75c26fa951928bf550c0e9a5e6c195a3de94a9c24995206bbfd2Referenced In Projects/Scopes:
calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor file name jffi High Product file name jffi High Version file version 1.2 High Version file name jffi Medium
jffi-1.2.16.jarDescription:
Java Foreign Function Interface License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jffi/1.2.16/5c1149dfcc9a16f85c8d9b8797f03806667cb9f1/jffi-1.2.16.jar
MD5: 90fc8c0b31df29ef4d595c68a9d46de9
SHA1: 5c1149dfcc9a16f85c8d9b8797f03806667cb9f1
SHA256: 7a616bb7dc6e10531a28a098078f8184df9b008d5231bdc5f1c131839385335f
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom artifactid jffi Low Vendor jar package name kenai Low Vendor jar package name function Highest Vendor jar package name jffi Low Vendor gradle groupid com.github.jnr Highest Vendor pom name jffi High Vendor pom url http://github.com/jnr/jffi Highest Vendor pom groupid github.jnr Highest Vendor jar package name jffi Highest Vendor jar package name foreign Highest Vendor file name jffi High Product jar package name function Highest Product jar package name jffi Low Product pom artifactid jffi Highest Product gradle artifactid jffi Highest Product pom name jffi High Product pom url http://github.com/jnr/jffi Medium Product pom groupid github.jnr Highest Product jar package name jffi Highest Product jar package name foreign Highest Product file name jffi High Version gradle version 1.2.16 Highest Version pom version 1.2.16 Highest Version file version 1.2.16 High
jgroups-3.6.14.Final.jarDescription:
Reliable cluster communication toolkit
License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jgroups/jgroups/3.6.14.Final/ee11e0645462b6937625f56f42bf5e853673168/jgroups-3.6.14.Final.jar
MD5: 524fb17e62dbebe166cf96434fc835c8
SHA1: 0ee11e0645462b6937625f56f42bf5e853673168
SHA256: 7fc7cbd06ac8673d77aae5215bb90605bbd1ec6d9156e22b26844d9d317e0056
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.jgroups.org Highest Vendor pom artifactid jgroups Low Vendor pom organization name JBoss, a division of Red Hat High Vendor gradle groupid org.jgroups Highest Vendor Manifest bundle-docurl http://www.jboss.org Low Vendor file name jgroups High Vendor Manifest bundle-symbolicname org.jgroups Medium Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Vendor pom organization url http://www.jboss.org Medium Vendor jar package name jgroups Highest Vendor pom name JGroups High Vendor pom groupid jgroups Highest Product pom url http://www.jgroups.org Medium Product Manifest bundle-docurl http://www.jboss.org Low Product pom organization url http://www.jboss.org Low Product gradle artifactid jgroups Highest Product file name jgroups High Product Manifest bundle-symbolicname org.jgroups Medium Product Manifest bundle-requiredexecutionenvironment JavaSE-1.7 Low Product pom organization name JBoss, a division of Red Hat Low Product jar package name jgroups Highest Product pom artifactid jgroups Highest Product Manifest Bundle-Name JGroups Medium Product pom name JGroups High Product pom groupid jgroups Highest Version gradle version 3.6.14.Final Highest Version Manifest Implementation-Version 3.6.14.Final High Version Manifest Bundle-Version 3.6.14.Final High Version pom version 3.6.14.Final Highest
Published Vulnerabilities CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (OSSINDEX) suppress
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. CWE-300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
CVSSv3:
Base Score: HIGH (7.4) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.jgroups:jgroups:3.6.14.Final:*:*:*:*:*:*:* jline-0.9.94.jarDescription:
JLine is a java library for reading and editing user input in console applications. It features tab-completion, command history, password masking, customizable keybindings, and pass-through handlers to use to chain to other console applications. License:
BSD: LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/0.9.94/99a18e9a44834afdebc467294e1138364c207402/jline-0.9.94.jar
MD5: 46235c960277206f00fe24714437bc89
SHA1: 99a18e9a44834afdebc467294e1138364c207402
SHA256: d8df0ffb12d87ca876271cda4d59b3feb94123882c1be1763b7faf2e0a0b0cbb
Referenced In Projects/Scopes: spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name jline Highest Vendor pom name JLine High Vendor pom groupid jline Highest Vendor jar package name history Highest Vendor pom url http://jline.sourceforge.net Highest Vendor file name jline High Vendor pom artifactid jline Low Vendor jar package name jline Low Vendor gradle groupid jline Highest Product jar package name jline Highest Product pom name JLine High Product pom groupid jline Highest Product jar package name history Highest Product file name jline High Product pom artifactid jline Highest Product pom url http://jline.sourceforge.net Medium Product gradle artifactid jline Highest Version pom version 0.9.94 Highest Version gradle version 0.9.94 Highest Version file version 0.9.94 High
jline-0.9.94.jar: jline32.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/0.9.94/99a18e9a44834afdebc467294e1138364c207402/jline-0.9.94.jar/jline/jline32.dllMD5: b3d9a08ff70440ba3638a325512f2cd8SHA1: 67a55d8f8ca4937d784d4334e554770adc2a1079SHA256: 3ddb21ed441296861413cfd109c61f12626ecc66ece659754b621d295fe9b23cReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath spark:default pig:runtimeClasspath spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor file name jline32 High Product file name jline32 High Version file name jline32 Medium Version file version 32 Medium
Related Dependencies jline-1.0.jar: jline32.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/1.0/e8f2d4690059d42a8f0f29195884a72a82ce4bb7/jline-1.0.jar/jline/jline32.dll MD5: b3d9a08ff70440ba3638a325512f2cd8 SHA1: 67a55d8f8ca4937d784d4334e554770adc2a1079 SHA256: 3ddb21ed441296861413cfd109c61f12626ecc66ece659754b621d295fe9b23c jline-0.9.94.jar: jline64.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/0.9.94/99a18e9a44834afdebc467294e1138364c207402/jline-0.9.94.jar/jline/jline64.dllMD5: d2f7b0db1231aac1846a857f5c0c4f2cSHA1: e297e4e990ce820e64d41f3f27b9be90283f3f96SHA256: f496874c86992b7436962451e05d1ffc9ca32ab64ce819501c42d807670e376eReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath spark:default pig:runtimeClasspath spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor file name jline64 High Product file name jline64 High Version file version 64 Medium Version file name jline64 Medium
Related Dependencies jline-1.0.jar: jline64.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/1.0/e8f2d4690059d42a8f0f29195884a72a82ce4bb7/jline-1.0.jar/jline/jline64.dll MD5: d2f7b0db1231aac1846a857f5c0c4f2c SHA1: e297e4e990ce820e64d41f3f27b9be90283f3f96 SHA256: f496874c86992b7436962451e05d1ffc9ca32ab64ce819501c42d807670e376e jline-1.0.jarDescription:
JLine is a java library for reading and editing user input in console applications. It features
tab-completion, command history, password masking, customizable keybindings, and pass-through handlers to use to
chain to other console applications.
License:
BSD: LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/1.0/e8f2d4690059d42a8f0f29195884a72a82ce4bb7/jline-1.0.jar
MD5: d6b1adf9b0fb4607362385ef6c3371dd
SHA1: e8f2d4690059d42a8f0f29195884a72a82ce4bb7
SHA256: b0d884980fab1df2f948c568f576c365f3379dc8bc930272fa508843d1f3652b
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name jline Highest Vendor pom name JLine High Vendor pom groupid jline Highest Vendor jar package name history Highest Vendor pom url http://jline.sourceforge.net Highest Vendor file name jline High Vendor Manifest bundle-symbolicname jline Medium Vendor pom artifactid jline Low Vendor gradle groupid jline Highest Product jar package name jline Highest Product pom name JLine High Product jar package name history Highest Product pom groupid jline Highest Product file name jline High Product Manifest bundle-symbolicname jline Medium Product Manifest Bundle-Name JLine Medium Product pom artifactid jline Highest Product pom url http://jline.sourceforge.net Medium Product gradle artifactid jline Highest Version file version 1.0 High Version pom version 1.0 Highest Version gradle version 1.0 Highest Version Manifest Bundle-Version 1.0 High
jline-2.12.jarLicense:
The BSD License: http://www.opensource.org/licenses/bsd-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/2.12/ce9062c6a125e0f9ad766032573c041ae8ecc986/jline-2.12.jar
MD5: 391c352dda90e0e16aa129286d72f2c7
SHA1: ce9062c6a125e0f9ad766032573c041ae8ecc986
SHA256: d34b45c8ca4359c65ae61e406339022e4731c739bc3448ce3999a60440baaa72
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name jline Highest Vendor pom name JLine High Vendor pom groupid jline Highest Vendor file name jline High Vendor Manifest bundle-symbolicname jline Medium Vendor pom artifactid jline Low Vendor gradle groupid jline Highest Product jar package name jline Highest Product pom name JLine High Product pom groupid jline Highest Product file name jline High Product Manifest bundle-symbolicname jline Medium Product Manifest Bundle-Name JLine Medium Product pom artifactid jline Highest Product gradle artifactid jline Highest Version file version 2.12 High Version pom version 2.12 Highest Version gradle version 2.12 Highest
jline-2.12.jar: jansi.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/2.12/ce9062c6a125e0f9ad766032573c041ae8ecc986/jline-2.12.jar/META-INF/native/windows32/jansi.dllMD5: 1e56641bb68937f8e2020cbff5d04a08SHA1: 97f6e12599bb5848867b9762184d055ed918ab2aSHA256: 0f59ff32a7c70e00a580d893de42ffaf48d0242b4d6251792666919b10ac3cd4Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jansi High Product file name jansi High
jline-2.12.jar: jansi.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/jline/jline/2.12/ce9062c6a125e0f9ad766032573c041ae8ecc986/jline-2.12.jar/META-INF/native/windows64/jansi.dllMD5: fd3a20891286c958103f3ea07174cd3cSHA1: 829195c9e338d5725cf304ae33fc209db53884ebSHA256: c33505a7c1fb847c03329a4f0e4b3c5cebac3a3604133d797d09172de25e3978Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jansi High Product file name jansi High
jline-builtins-3.18.0.jarDescription:
JLine License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-builtins/3.18.0/5bcc0b4704168c5ea59194039477b7d5f5445260/jline-builtins-3.18.0.jar
MD5: 2f0ea1aaca354040ef11f6753e1cfd62
SHA1: 5bcc0b4704168c5ea59194039477b7d5f5445260
SHA256: 4adc5f75aec9aec75c86ab56bcac21f3eb5535a8e0826ca40af27bfe075aa33f
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jline Highest Vendor pom name JLine Builtins High Vendor jar package name jline Highest Vendor Manifest bundle-symbolicname org.jline.builtins Medium Vendor pom parent-groupid org.jline Medium Vendor pom parent-artifactid jline-parent Low Vendor Manifest build-jdk-spec 11 Low Vendor file name jline-builtins High Vendor jar package name builtins Highest Vendor pom groupid jline Highest Vendor pom artifactid jline-builtins Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest automatic-module-name org.jline.builtins Medium Product pom name JLine Builtins High Product jar package name jline Highest Product Manifest bundle-symbolicname org.jline.builtins Medium Product Manifest Bundle-Name JLine Builtins Medium Product pom parent-groupid org.jline Medium Product Manifest build-jdk-spec 11 Low Product file name jline-builtins High Product jar package name builtins Highest Product gradle artifactid jline-builtins Highest Product pom groupid jline Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom parent-artifactid jline-parent Medium Product Manifest automatic-module-name org.jline.builtins Medium Product pom artifactid jline-builtins Highest Version file version 3.18.0 High Version Manifest Bundle-Version 3.18.0 High Version pom version 3.18.0 Highest Version gradle version 3.18.0 Highest
jline-console-3.18.0.jarDescription:
JLine License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-console/3.18.0/4910d30ecb98fb56e3546e3ea9a672a1b7d77bf/jline-console-3.18.0.jar
MD5: 006f805401261896c3ed414385a85882
SHA1: 04910d30ecb98fb56e3546e3ea9a672a1b7d77bf
SHA256: 288b04e3be5a2963a9b8f963cad63301a61b2484e72317d5e7c34f26537313db
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jline Highest Vendor jar package name jline Highest Vendor file name jline-console High Vendor Manifest automatic-module-name org.jline.console Medium Vendor pom artifactid jline-console Low Vendor pom parent-groupid org.jline Medium Vendor pom parent-artifactid jline-parent Low Vendor Manifest build-jdk-spec 11 Low Vendor pom name JLine Console High Vendor pom groupid jline Highest Vendor Manifest bundle-symbolicname org.jline.console Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor jar package name console Highest Product gradle artifactid jline-console Highest Product jar package name jline Highest Product file name jline-console High Product Manifest automatic-module-name org.jline.console Medium Product pom parent-groupid org.jline Medium Product Manifest build-jdk-spec 11 Low Product pom name JLine Console High Product pom artifactid jline-console Highest Product pom groupid jline Highest Product Manifest bundle-symbolicname org.jline.console Medium Product Manifest Bundle-Name JLine Console Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom parent-artifactid jline-parent Medium Product jar package name console Highest Version file version 3.18.0 High Version Manifest Bundle-Version 3.18.0 High Version pom version 3.18.0 Highest Version gradle version 3.18.0 Highest
jline-reader-3.18.0.jarDescription:
JLine License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-reader/3.18.0/792de4515e58ec2a2dbbb32bc3b0b20202261899/jline-reader-3.18.0.jar
MD5: 9b4cdc815d2ba221e53b885c83db6242
SHA1: 792de4515e58ec2a2dbbb32bc3b0b20202261899
SHA256: 04b782f8c34731adc4cbca8131b28f0d41b4f14da7f04c57ffdd11f48a2af730
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jline Highest Vendor file name jline-reader High Vendor jar package name jline Highest Vendor pom parent-groupid org.jline Medium Vendor Manifest automatic-module-name org.jline.reader Medium Vendor pom parent-artifactid jline-parent Low Vendor pom artifactid jline-reader Low Vendor Manifest build-jdk-spec 11 Low Vendor jar package name reader Highest Vendor pom name JLine Reader High Vendor pom groupid jline Highest Vendor Manifest bundle-symbolicname org.jline.reader Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product file name jline-reader High Product jar package name jline Highest Product gradle artifactid jline-reader Highest Product pom parent-groupid org.jline Medium Product Manifest automatic-module-name org.jline.reader Medium Product Manifest build-jdk-spec 11 Low Product Manifest Bundle-Name JLine Reader Medium Product jar package name reader Highest Product pom name JLine Reader High Product pom groupid jline Highest Product pom artifactid jline-reader Highest Product Manifest bundle-symbolicname org.jline.reader Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom parent-artifactid jline-parent Medium Version file version 3.18.0 High Version Manifest Bundle-Version 3.18.0 High Version pom version 3.18.0 Highest Version gradle version 3.18.0 Highest
jline-style-3.18.0.jarDescription:
JLine License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-style/3.18.0/4f65fef540e3f90d8781a22aecb306e6e7ea49f6/jline-style-3.18.0.jar
MD5: 00b939bb117a59c4f9acd7713ee51c41
SHA1: 4f65fef540e3f90d8781a22aecb306e6e7ea49f6
SHA256: 29b9792c7d133ce31dd09258cb128002cb107797caebe16697bba0938de0640f
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jline Highest Vendor jar package name jline Highest Vendor jar package name style Highest Vendor pom parent-groupid org.jline Medium Vendor pom name JLine Style High Vendor pom parent-artifactid jline-parent Low Vendor Manifest build-jdk-spec 11 Low Vendor Manifest bundle-symbolicname org.jline.style Medium Vendor file name jline-style High Vendor pom groupid jline Highest Vendor Manifest automatic-module-name org.jline.style Medium Vendor pom artifactid jline-style Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name jline Highest Product Manifest Bundle-Name JLine Style Medium Product jar package name style Highest Product pom parent-groupid org.jline Medium Product pom name JLine Style High Product Manifest build-jdk-spec 11 Low Product Manifest bundle-symbolicname org.jline.style Medium Product gradle artifactid jline-style Highest Product file name jline-style High Product pom groupid jline Highest Product Manifest automatic-module-name org.jline.style Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid jline-style Highest Product pom parent-artifactid jline-parent Medium Version file version 3.18.0 High Version Manifest Bundle-Version 3.18.0 High Version pom version 3.18.0 Highest Version gradle version 3.18.0 Highest
jline-terminal-3.18.0.jarDescription:
JLine License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-terminal/3.18.0/c6f4fd607701654de95f1f2a6dcc2360a9554404/jline-terminal-3.18.0.jar
MD5: e302c3831adbdb0dd73ccd35cdf6919d
SHA1: c6f4fd607701654de95f1f2a6dcc2360a9554404
SHA256: 4912c47936aabe366d84ae64ba84c2d0830beb6504a95469326f69a63f361228
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jline Highest Vendor Manifest automatic-module-name org.jline.terminal Medium Vendor pom artifactid jline-terminal Low Vendor jar package name jline Highest Vendor file name jline-terminal High Vendor pom parent-groupid org.jline Medium Vendor pom parent-artifactid jline-parent Low Vendor Manifest build-jdk-spec 11 Low Vendor pom groupid jline Highest Vendor pom name JLine Terminal High Vendor jar package name terminal Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest bundle-symbolicname org.jline.terminal Medium Product Manifest automatic-module-name org.jline.terminal Medium Product jar package name jline Highest Product file name jline-terminal High Product pom parent-groupid org.jline Medium Product gradle artifactid jline-terminal Highest Product Manifest build-jdk-spec 11 Low Product pom artifactid jline-terminal Highest Product Manifest Bundle-Name JLine Terminal Medium Product pom groupid jline Highest Product pom name JLine Terminal High Product jar package name terminal Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest bundle-symbolicname org.jline.terminal Medium Product pom parent-artifactid jline-parent Medium Version file version 3.18.0 High Version Manifest Bundle-Version 3.18.0 High Version pom version 3.18.0 Highest Version gradle version 3.18.0 Highest
jline-terminal-jansi-3.18.0.jarDescription:
JLine License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-terminal-jansi/3.18.0/d24cfab8009e61152f1d666c53696162260c79eb/jline-terminal-jansi-3.18.0.jar
MD5: 2a0ae6101c81ee99140d52126d2f9cd6
SHA1: d24cfab8009e61152f1d666c53696162260c79eb
SHA256: 8baa49dc3d7243f74b1bf6e039c61399e0ebed01d90f4ae2eaa1c8b47bd4e848
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jline Highest Vendor jar package name jline Highest Vendor pom parent-groupid org.jline Medium Vendor pom parent-artifactid jline-parent Low Vendor Manifest build-jdk-spec 11 Low Vendor pom name JLine JANSI Terminal High Vendor Manifest automatic-module-name org.jline.terminal.jansi Medium Vendor jar package name jansi Highest Vendor pom groupid jline Highest Vendor pom artifactid jline-terminal-jansi Low Vendor jar package name terminal Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest bundle-symbolicname org.jline.terminal-jansi Medium Vendor file name jline-terminal-jansi High Product gradle artifactid jline-terminal-jansi Highest Product jar package name jline Highest Product pom parent-groupid org.jline Medium Product Manifest build-jdk-spec 11 Low Product pom name JLine JANSI Terminal High Product Manifest automatic-module-name org.jline.terminal.jansi Medium Product jar package name jansi Highest Product pom groupid jline Highest Product pom artifactid jline-terminal-jansi Highest Product jar package name terminal Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest bundle-symbolicname org.jline.terminal-jansi Medium Product pom parent-artifactid jline-parent Medium Product Manifest Bundle-Name JLine JANSI Terminal Medium Product file name jline-terminal-jansi High Version file version 3.18.0 High Version Manifest Bundle-Version 3.18.0 High Version pom version 3.18.0 Highest Version gradle version 3.18.0 Highest
jline-terminal-jna-3.18.0.jarDescription:
JLine License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jline/jline-terminal-jna/3.18.0/cf78f3608b5ff8abdb2039b421bb47579338c740/jline-terminal-jna-3.18.0.jar
MD5: 385b17c39b2955cec90446c7991407fc
SHA1: cf78f3608b5ff8abdb2039b421bb47579338c740
SHA256: 8b87fd50724de7ebd749882cc895a6be25330b482df4d799a8761b65cc26fdb4
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jline Highest Vendor jar package name jline Highest Vendor pom parent-groupid org.jline Medium Vendor pom parent-artifactid jline-parent Low Vendor Manifest automatic-module-name org.jline.terminal.jna Medium Vendor Manifest build-jdk-spec 11 Low Vendor pom artifactid jline-terminal-jna Low Vendor pom name JLine JNA Terminal High Vendor pom groupid jline Highest Vendor file name jline-terminal-jna High Vendor jar package name jna Highest Vendor jar package name terminal Highest Vendor Manifest bundle-symbolicname org.jline.terminal-jna Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom artifactid jline-terminal-jna Highest Product jar package name jline Highest Product pom parent-groupid org.jline Medium Product Manifest automatic-module-name org.jline.terminal.jna Medium Product Manifest build-jdk-spec 11 Low Product pom name JLine JNA Terminal High Product pom groupid jline Highest Product file name jline-terminal-jna High Product jar package name jna Highest Product Manifest Bundle-Name JLine JNA Terminal Medium Product jar package name terminal Highest Product Manifest bundle-symbolicname org.jline.terminal-jna Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom parent-artifactid jline-parent Medium Product gradle artifactid jline-terminal-jna Highest Version file version 3.18.0 High Version Manifest Bundle-Version 3.18.0 High Version pom version 3.18.0 Highest Version gradle version 3.18.0 Highest
jmh-core-1.21.jarDescription:
The jmh is a Java harness for building, running, and analysing
nano/micro/macro benchmarks written in Java and other languages
targeting the JVM.
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-core/1.21/442447101f63074c61063858033fbfde8a076873/jmh-core-1.21.jarMD5: 87fe00275cdaa76a31f73906fc8ee9d7SHA1: 442447101f63074c61063858033fbfde8a076873SHA256: 79aecd73ffb5d95d88b1ac36b505fa30ae3e83788e936838e2be9a51074fd2ddReferenced In Projects/Scopes:
ubenchmark:jmhCompileClasspath ubenchmark:jmh Evidence Type Source Name Value Confidence Vendor pom artifactid jmh-core Low Vendor pom groupid openjdk.jmh Highest Vendor jar package name openjdk Highest Vendor pom organization name Oracle High Vendor pom parent-groupid org.openjdk.jmh Medium Vendor jar package name jmh Highest Vendor pom name JMH Core High Vendor jar package name core Highest Vendor pom organization url http://openjdk.java.net/ Medium Vendor pom (hint) organization name sun High Vendor pom parent-artifactid jmh-parent Low Vendor jar package name jmh Low Vendor gradle groupid org.openjdk.jmh Highest Vendor jar package name openjdk Low Vendor file name jmh-core High Product pom groupid openjdk.jmh Highest Product pom parent-artifactid jmh-parent Medium Product jar package name openjdk Highest Product gradle artifactid jmh-core Highest Product pom parent-groupid org.openjdk.jmh Medium Product pom organization name Oracle Low Product jar package name jmh Highest Product pom name JMH Core High Product jar package name core Highest Product pom artifactid jmh-core Highest Product jar package name jmh Low Product pom organization url http://openjdk.java.net/ Low Product file name jmh-core High Version gradle version 1.21 Highest Version file version 1.21 High Version pom version 1.21 Highest
jmh-generator-annprocess-1.12.jarDescription:
JMH benchmark generator, based on annotation processors.
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-annprocess/1.12/9ad5888fdd36dd4b12bce5883069d9d82562ab6c/jmh-generator-annprocess-1.12.jarMD5: d53f3168f15f61ee3a2f36ec06607af6SHA1: 9ad5888fdd36dd4b12bce5883069d9d82562ab6cSHA256: 1739e5c97e8d7c9ed8dca96a7a97491a3a850dd37e9a8d315e0dfe7a1d9dafb9Referenced In Project/Scope: ubenchmark:jmhCompileClasspath
Evidence Type Source Name Value Confidence Vendor pom name JMH Generators: Annotation Processors High Vendor jar package name generators Low Vendor pom groupid openjdk.jmh Highest Vendor jar package name openjdk Highest Vendor file name jmh-generator-annprocess High Vendor pom parent-groupid org.openjdk.jmh Medium Vendor jar package name jmh Highest Vendor pom artifactid jmh-generator-annprocess Low Vendor jar package name generators Highest Vendor pom parent-artifactid jmh-parent Low Vendor jar package name jmh Low Vendor gradle groupid org.openjdk.jmh Highest Vendor jar package name openjdk Low Product pom name JMH Generators: Annotation Processors High Product jar package name generators Low Product pom groupid openjdk.jmh Highest Product pom parent-artifactid jmh-parent Medium Product jar package name openjdk Highest Product file name jmh-generator-annprocess High Product pom parent-groupid org.openjdk.jmh Medium Product jar package name jmh Highest Product jar package name annotations Low Product jar package name generators Highest Product pom artifactid jmh-generator-annprocess Highest Product gradle artifactid jmh-generator-annprocess Highest Product jar package name jmh Low Version gradle version 1.12 Highest Version file version 1.12 High Version pom version 1.12 Highest
jmh-generator-asm-1.21.jarDescription:
JMH benchmark generator, based on ASM bytecode manipulation.
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-asm/1.21/670ffd88255faf81ad294f0d8a9eba0292f5a554/jmh-generator-asm-1.21.jarMD5: 7699014393f3a0b92e19e86dfa26923bSHA1: 670ffd88255faf81ad294f0d8a9eba0292f5a554SHA256: f6757d41c0c99d0f463d0bea726ca3f9fae2713d577f3935e8ceb2b8635f8e0bReferenced In Projects/Scopes:
ubenchmark:jmhCompileClasspath ubenchmark:jmh Evidence Type Source Name Value Confidence Vendor jar package name generators Low Vendor pom groupid openjdk.jmh Highest Vendor file name jmh-generator-asm High Vendor jar package name asm Highest Vendor jar package name openjdk Highest Vendor pom parent-groupid org.openjdk.jmh Medium Vendor pom name JMH Generators: ASM High Vendor jar package name jmh Highest Vendor jar package name generators Highest Vendor pom artifactid jmh-generator-asm Low Vendor pom parent-artifactid jmh-parent Low Vendor jar package name jmh Low Vendor gradle groupid org.openjdk.jmh Highest Vendor jar package name openjdk Low Product jar package name generators Low Product pom groupid openjdk.jmh Highest Product file name jmh-generator-asm High Product jar package name asm Highest Product pom parent-artifactid jmh-parent Medium Product jar package name openjdk Highest Product pom parent-groupid org.openjdk.jmh Medium Product pom name JMH Generators: ASM High Product jar package name jmh Highest Product jar package name generators Highest Product jar package name asm Low Product pom artifactid jmh-generator-asm Highest Product jar package name jmh Low Product gradle artifactid jmh-generator-asm Highest Version gradle version 1.21 Highest Version file version 1.21 High Version pom version 1.21 Highest
jmh-generator-bytecode-1.21.jarDescription:
JMH benchmark generator, based on bytecode inspection.
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-bytecode/1.21/6a52cbbd7f5e2cf7a0163984241750cdd6cb1257/jmh-generator-bytecode-1.21.jarMD5: 1675c247a3cd60c6ed72ad6f316c9581SHA1: 6a52cbbd7f5e2cf7a0163984241750cdd6cb1257SHA256: db4b0577f0a6413dc1299872c104518a54a3280abe486de7ec01003baf5ba018Referenced In Projects/Scopes:
ubenchmark:jmhCompileClasspath ubenchmark:jmh Evidence Type Source Name Value Confidence Vendor jar package name generators Low Vendor pom groupid openjdk.jmh Highest Vendor jar package name openjdk Highest Vendor jar package name bytecode Highest Vendor pom parent-groupid org.openjdk.jmh Medium Vendor file name jmh-generator-bytecode High Vendor jar package name jmh Highest Vendor pom artifactid jmh-generator-bytecode Low Vendor jar package name generators Highest Vendor pom parent-artifactid jmh-parent Low Vendor pom name JMH Generators: Bytecode High Vendor jar package name jmh Low Vendor gradle groupid org.openjdk.jmh Highest Vendor jar package name openjdk Low Product jar package name generators Low Product pom groupid openjdk.jmh Highest Product pom parent-artifactid jmh-parent Medium Product jar package name openjdk Highest Product pom artifactid jmh-generator-bytecode Highest Product jar package name bytecode Highest Product pom parent-groupid org.openjdk.jmh Medium Product file name jmh-generator-bytecode High Product jar package name jmh Highest Product jar package name bytecode Low Product jar package name generators Highest Product pom name JMH Generators: Bytecode High Product jar package name jmh Low Product gradle artifactid jmh-generator-bytecode Highest Version gradle version 1.21 Highest Version file version 1.21 High Version pom version 1.21 Highest
jmh-generator-reflection-1.21.jarDescription:
JMH benchmark generator, based on reflection.
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.openjdk.jmh/jmh-generator-reflection/1.21/ed5a2bdca04daafac41c53cf82c3b9733fd91e89/jmh-generator-reflection-1.21.jarMD5: e27b8bbb4cbd1846a0480648b8b38ceeSHA1: ed5a2bdca04daafac41c53cf82c3b9733fd91e89SHA256: 80309a00b3afcf65d238603e66d60203280a6699de8867d16b4571c420a707bdReferenced In Projects/Scopes:
ubenchmark:jmhCompileClasspath ubenchmark:jmh Evidence Type Source Name Value Confidence Vendor jar package name generators Low Vendor pom groupid openjdk.jmh Highest Vendor jar package name openjdk Highest Vendor pom parent-groupid org.openjdk.jmh Medium Vendor jar package name jmh Highest Vendor pom artifactid jmh-generator-reflection Low Vendor jar package name reflection Highest Vendor file name jmh-generator-reflection High Vendor jar package name generators Highest Vendor pom parent-artifactid jmh-parent Low Vendor jar package name jmh Low Vendor gradle groupid org.openjdk.jmh Highest Vendor jar package name openjdk Low Vendor pom name JMH Generators: Reflection High Product jar package name generators Low Product pom groupid openjdk.jmh Highest Product pom parent-artifactid jmh-parent Medium Product jar package name openjdk Highest Product pom artifactid jmh-generator-reflection Highest Product pom parent-groupid org.openjdk.jmh Medium Product jar package name jmh Highest Product jar package name reflection Highest Product file name jmh-generator-reflection High Product jar package name generators Highest Product gradle artifactid jmh-generator-reflection Highest Product jar package name reflection Low Product jar package name jmh Low Product pom name JMH Generators: Reflection High Version gradle version 1.21 Highest Version file version 1.21 High Version pom version 1.21 Highest
jna-5.5.0.jarDescription:
JNA Library File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.5.0/e0845217c4907822403912ad6828d8e0b256208/jna-5.5.0.jarMD5: acfb5b5fd9ee10bf69497792fd469f85SHA1: 0e0845217c4907822403912ad6828d8e0b256208SHA256: b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9eReferenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name jna Low Vendor jar package name sun Highest Vendor jar (hint) package name oracle Low Vendor Manifest automatic-module-name com.sun.jna Medium Vendor Manifest Implementation-Vendor JNA Development Team High Vendor gradle groupid net.java.dev.jna Highest Vendor file name jna High Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-symbolicname com.sun.jna Medium Vendor Manifest bundle-category jni Low Vendor jar package name sun Low Vendor Manifest bundle-nativecode com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win32, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win32, com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win, com/sun/jna/w32ce-arm/jnidispatch.dll; processor=arm;osname=wince, com/sun/jna/sunos-x86/libjnidispatch.so; processor=x86;osname=sunos, com/sun/jna/sunos-x86-64/libjnidispatch.so; processor=x86-64;osname=sunos, com/sun/jna/sunos-sparc/libjnidispatch.so; processor=sparc;osname=sunos, com/sun/jna/sunos-sparcv9/libjnidispatch.so; processor=sparcv9;osname=sunos, com/sun/jna/aix-ppc/libjnidispatch.a; processor=ppc;osname=aix, com/sun/jna/aix-ppc64/libjnidispatch.a; processor=ppc64;osname=aix, com/sun/jna/linux-ppc/libjnidispatch.so; processor=ppc;osname=linux, com/sun/jna/linux-ppc64/libjnidispatch.so; processor=ppc64;osname=linux, com/sun/jna/linux-ppc64le/libjnidispatch.so; processor=ppc64le;osname=linux, com/sun/jna/linux-x86/libjnidispatch.so; processor=x86;osname=linux, com/sun/jna/linux-x86-64/libjnidispatch.so; processor=x86-64;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm_le;osname=linux, com/sun/jna/linux-armel/libjnidispatch.so; processor=armel;osname=linux, com/sun/jna/linux-aarch64/libjnidispatch.so; processor=aarch64;osname=linux, com/sun/jna/linux-ia64/libjnidispatch.so; processor=ia64;osname=linux, com/sun/jna/linux-sparcv9/libjnidispatch.so; processor=sparcv9;osname=linux, com/sun/jna/linux-mips64el/libjnidispatch.so; processor=mips64el;osname=linux, com/sun/jna/linux-s390x/libjnidispatch.so; processor=S390x;osname=linux, com/sun/jna/freebsd-x86/libjnidispatch.so; processor=x86;osname=freebsd, com/sun/jna/freebsd-x86-64/libjnidispatch.so; processor=x86-64;osname=freebsd, com/sun/jna/openbsd-x86/libjnidispatch.so; processor=x86;osname=openbsd, com/sun/jna/openbsd-x86-64/libjnidispatch.so; processor=x86-64;osname=openbsd, com/sun/jna/darwin/libjnidispatch.jnilib; osname=macosx;processor=x86;processor=x86-64;processor=ppc Low Vendor Manifest specification-vendor JNA Development Team Low Vendor jar package name jna Highest Vendor Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Vendor jar (hint) package name oracle Highest Product jar package name jna Low Product Manifest Implementation-Title com.sun.jna High Product jar package name sun Highest Product Manifest automatic-module-name com.sun.jna Medium Product Manifest specification-title Java Native Access (JNA) Medium Product file name jna High Product Manifest bundle-activationpolicy lazy Low Product gradle artifactid jna Highest Product Manifest bundle-symbolicname com.sun.jna Medium Product Manifest bundle-category jni Low Product Manifest Bundle-Name jna Medium Product Manifest bundle-nativecode com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win32, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win32, com/sun/jna/win32-x86/jnidispatch.dll; processor=x86;osname=win, com/sun/jna/win32-x86-64/jnidispatch.dll; processor=x86-64;osname=win, com/sun/jna/w32ce-arm/jnidispatch.dll; processor=arm;osname=wince, com/sun/jna/sunos-x86/libjnidispatch.so; processor=x86;osname=sunos, com/sun/jna/sunos-x86-64/libjnidispatch.so; processor=x86-64;osname=sunos, com/sun/jna/sunos-sparc/libjnidispatch.so; processor=sparc;osname=sunos, com/sun/jna/sunos-sparcv9/libjnidispatch.so; processor=sparcv9;osname=sunos, com/sun/jna/aix-ppc/libjnidispatch.a; processor=ppc;osname=aix, com/sun/jna/aix-ppc64/libjnidispatch.a; processor=ppc64;osname=aix, com/sun/jna/linux-ppc/libjnidispatch.so; processor=ppc;osname=linux, com/sun/jna/linux-ppc64/libjnidispatch.so; processor=ppc64;osname=linux, com/sun/jna/linux-ppc64le/libjnidispatch.so; processor=ppc64le;osname=linux, com/sun/jna/linux-x86/libjnidispatch.so; processor=x86;osname=linux, com/sun/jna/linux-x86-64/libjnidispatch.so; processor=x86-64;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm;osname=linux, com/sun/jna/linux-arm/libjnidispatch.so; processor=arm_le;osname=linux, com/sun/jna/linux-armel/libjnidispatch.so; processor=armel;osname=linux, com/sun/jna/linux-aarch64/libjnidispatch.so; processor=aarch64;osname=linux, com/sun/jna/linux-ia64/libjnidispatch.so; processor=ia64;osname=linux, com/sun/jna/linux-sparcv9/libjnidispatch.so; processor=sparcv9;osname=linux, com/sun/jna/linux-mips64el/libjnidispatch.so; processor=mips64el;osname=linux, com/sun/jna/linux-s390x/libjnidispatch.so; processor=S390x;osname=linux, com/sun/jna/freebsd-x86/libjnidispatch.so; processor=x86;osname=freebsd, com/sun/jna/freebsd-x86-64/libjnidispatch.so; processor=x86-64;osname=freebsd, com/sun/jna/openbsd-x86/libjnidispatch.so; processor=x86;osname=openbsd, com/sun/jna/openbsd-x86-64/libjnidispatch.so; processor=x86-64;osname=openbsd, com/sun/jna/darwin/libjnidispatch.jnilib; osname=macosx;processor=x86;processor=x86-64;processor=ppc Low Product jar package name win32 Highest Product jar package name library Highest Product jar package name jna Highest Product Manifest bundle-requiredexecutionenvironment JavaSE-1.6 Low Product jar package name native Highest Version file version 5.5.0 High Version jar package name sun Highest Version jar package name win32 Highest Version jar package name jna Highest Version file name jna Medium Version Manifest Implementation-Version 5.5.0 (b0) High Version Manifest Bundle-Version 5.5.0 High Version gradle version 5.5.0 Highest
jna-5.5.0.jar: jnidispatch.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.5.0/e0845217c4907822403912ad6828d8e0b256208/jna-5.5.0.jar/com/sun/jna/win32-x86-64/jnidispatch.dllMD5: e02979ecd43bcc9061eb2b494ab5af50SHA1: 3122ac0e751660f646c73b10c4f79685aa65c545SHA256: a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7aReferenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jnidispatch High Product file name jnidispatch High
jna-5.5.0.jar: jnidispatch.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna/5.5.0/e0845217c4907822403912ad6828d8e0b256208/jna-5.5.0.jar/com/sun/jna/win32-x86/jnidispatch.dllMD5: 28d895a3cb7e9a0b6a5ae5ed6a62b254SHA1: 703d8604a8d04d29c52c0ebcde1e86f3bc8ff824SHA256: 04c9a8ab43d1eb616b84d0686c8ae1d881ef03fe4f3aa26511e5b19d35ef16afReferenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jnidispatch High Product file name jnidispatch High
jnr-constants-0.9.9.jarDescription:
A set of platform constants (e.g. errno values) License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-constants/0.9.9/33f23994e09aeb49880aa01e12e8e9eff058c14c/jnr-constants-0.9.9.jar
MD5: dda134f02497e1613fc0dd2d29bae42f
SHA1: 33f23994e09aeb49880aa01e12e8e9eff058c14c
SHA256: 6862e69646fb726684d8610bc5a65740feab5f235d8d1dc7596113bd1ad54181
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name errno Highest Vendor jar package name constants Highest Vendor jar package name platform Highest Vendor pom artifactid jnr-constants Low Vendor gradle groupid com.github.jnr Highest Vendor jar package name jnr Highest Vendor pom url http://github.com/jnr/jnr-constants Highest Vendor Manifest bundle-symbolicname com.github.jnr.constants Medium Vendor pom name jnr-constants High Vendor pom groupid github.jnr Highest Vendor file name jnr-constants High Product pom artifactid jnr-constants Highest Product pom url http://github.com/jnr/jnr-constants Medium Product jar package name errno Highest Product jar package name platform Highest Product Manifest Bundle-Name jnr-constants Medium Product Manifest bundle-symbolicname com.github.jnr.constants Medium Product pom name jnr-constants High Product jar package name constants Highest Product gradle artifactid jnr-constants Highest Product jar package name jnr Highest Product pom groupid github.jnr Highest Product file name jnr-constants High Version gradle version 0.9.9 Highest Version file version 0.9.9 High Version Manifest Bundle-Version 0.9.9 High Version pom version 0.9.9 Highest
jnr-ffi-2.1.7.jarDescription:
A library for invoking native functions from java License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-ffi/2.1.7/31a7391a212069303935a1df29566b7372d3ef9f/jnr-ffi-2.1.7.jar
MD5: 5c1ea66275918665f1d6827fe2db5f87
SHA1: 31a7391a212069303935a1df29566b7372d3ef9f
SHA256: 2ed1bedf59935cd3cc0964bac5cd91638b2e966a82041fe0a6c85f52279c9b34
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom name jnr-ffi High Vendor file name jnr-ffi High Vendor pom url http://github.com/jnr/jnr-ffi Highest Vendor gradle groupid com.github.jnr Highest Vendor jar package name ffi Highest Vendor Manifest bundle-symbolicname com.github.jnr.ffi Medium Vendor jar package name library Highest Vendor jar package name jnr Highest Vendor pom artifactid jnr-ffi Low Vendor pom groupid github.jnr Highest Product gradle artifactid jnr-ffi Highest Product pom name jnr-ffi High Product pom url http://github.com/jnr/jnr-ffi Medium Product file name jnr-ffi High Product jar package name ffi Highest Product jar package name library Highest Product Manifest bundle-symbolicname com.github.jnr.ffi Medium Product jar package name jnr Highest Product Manifest Bundle-Name jnr-ffi Medium Product pom artifactid jnr-ffi Highest Product pom groupid github.jnr Highest Version file version 2.1.7 High Version Manifest Bundle-Version 2.1.7 High Version pom version 2.1.7 Highest Version gradle version 2.1.7 Highest
jnr-posix-3.0.44.jarDescription:
Common cross-project/cross-platform POSIX APIs
License:
Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-posix/3.0.44/1f8e4551454e613c04f6d4045ed9d5b98e21980f/jnr-posix-3.0.44.jar
MD5: 6e9121b8c504de94e34499570ed189c2
SHA1: 1f8e4551454e613c04f6d4045ed9d5b98e21980f
SHA256: 8442c39b21a82eab9f07039ddd5caeb1707247e1bf45c2abf3150869393ce182
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom name jnr-posix High Vendor jar package name platform Highest Vendor gradle groupid com.github.jnr Highest Vendor jar package name jnr Highest Vendor Manifest bundle-symbolicname com.github.jnr.posix Medium Vendor pom artifactid jnr-posix Low Vendor jar package name posix Highest Vendor pom groupid github.jnr Highest Vendor file name jnr-posix High Product pom name jnr-posix High Product gradle artifactid jnr-posix Highest Product jar package name platform Highest Product jar package name jnr Highest Product pom artifactid jnr-posix Highest Product Manifest bundle-symbolicname com.github.jnr.posix Medium Product jar package name posix Highest Product Manifest Bundle-Name jnr-posix Medium Product pom groupid github.jnr Highest Product file name jnr-posix High Product Manifest Implementation-Title JNA-POSIX High Version Manifest Bundle-Version 3.0.44 High Version gradle version 3.0.44 Highest Version pom version 3.0.44 Highest Version file version 3.0.44 High
jnr-x86asm-1.0.2.jarDescription:
A pure-java X86 and X86_64 assembler License:
MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jnr/jnr-x86asm/1.0.2/6936bbd6c5b235665d87bd450f5e13b52d4b48/jnr-x86asm-1.0.2.jar
MD5: 00670735acb2a9d1421b506dc7d338bc
SHA1: 006936bbd6c5b235665d87bd450f5e13b52d4b48
SHA256: 39f3675b910e6e9b93825f8284bec9f4ad3044cd20a6f7c8ff9e2f8695ebf21e
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom artifactid jnr-x86asm Low Vendor file name jnr-x86asm High Vendor gradle groupid com.github.jnr Highest Vendor jar package name jnr Highest Vendor jar package name x86asm Highest Vendor jar package name x86asm Low Vendor pom name jnr-x86asm High Vendor pom groupid github.jnr Highest Vendor jar package name assembler Highest Vendor pom url http://github.com/jnr/jnr-x86asm Highest Vendor jar package name jnr Low Product pom artifactid jnr-x86asm Highest Product file name jnr-x86asm High Product jar package name jnr Highest Product jar package name x86asm Highest Product jar package name x86asm Low Product pom name jnr-x86asm High Product pom groupid github.jnr Highest Product jar package name assembler Highest Product pom url http://github.com/jnr/jnr-x86asm Medium Product gradle artifactid jnr-x86asm Highest Version file version 1.0.2 High Version gradle version 1.0.2 Highest Version pom version 1.0.2 Highest
joda-time-2.8.1.jarDescription:
Date and time library to replace JDK date handling License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/joda-time/joda-time/2.8.1/f5bfc718c95a7b1d3c371bb02a188a4df18361a9/joda-time-2.8.1.jar
MD5: c23002a0fac3455e92551e7f24500fa4
SHA1: f5bfc718c95a7b1d3c371bb02a188a4df18361a9
SHA256: b4670b95f75957c974284c5f3ada966040be2578f643c5c6083d262162061fa2
Referenced In Projects/Scopes: piglet:compileClasspath druid:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath druid:runtimeClasspath piglet:default druid:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom organization url http://www.joda.org Medium Vendor pom artifactid joda-time Low Vendor Manifest bundle-symbolicname joda-time Medium Vendor Manifest implementation-url http://www.joda.org/joda-time/ Low Vendor gradle groupid joda-time Highest Vendor Manifest extension-name joda-time Medium Vendor pom groupid joda-time Highest Vendor pom url http://www.joda.org/joda-time/ Highest Vendor jar package name joda Highest Vendor jar package name time Highest Vendor pom organization name Joda.org High Vendor pom name Joda-Time High Vendor Manifest Implementation-Vendor-Id org.joda Medium Vendor Manifest bundle-docurl http://www.joda.org/joda-time/ Low Vendor Manifest Implementation-Vendor Joda.org High Vendor Manifest specification-vendor Joda.org Low Vendor file name joda-time High Product gradle artifactid joda-time Highest Product pom organization name Joda.org Low Product Manifest bundle-symbolicname joda-time Medium Product Manifest implementation-url http://www.joda.org/joda-time/ Low Product Manifest extension-name joda-time Medium Product pom url http://www.joda.org/joda-time/ Medium Product pom groupid joda-time Highest Product jar package name joda Highest Product jar package name time Highest Product pom artifactid joda-time Highest Product pom name Joda-Time High Product Manifest Bundle-Name Joda-Time Medium Product pom organization url http://www.joda.org Low Product Manifest Implementation-Title org.joda.time High Product Manifest bundle-docurl http://www.joda.org/joda-time/ Low Product Manifest specification-title Joda-Time Medium Product file name joda-time High Version pom version 2.8.1 Highest Version gradle version 2.8.1 Highest Version Manifest Implementation-Version 2.8.1 High Version Manifest Bundle-Version 2.8.1 High Version file version 2.8.1 High
jopt-simple-4.6.jarDescription:
A Java library for parsing command line options License:
The MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.jopt-simple/jopt-simple/4.6/306816fb57cf94f108a43c95731b08934dcae15c/jopt-simple-4.6.jar
MD5: 13560a58a79b46b82057686543e8d727
SHA1: 306816fb57cf94f108a43c95731b08934dcae15c
SHA256: 3fcfbe3203c2ea521bf7640484fd35d6303186ea2e08e72f032d640ca067ffda
Referenced In Projects/Scopes: ubenchmark:jmhCompileClasspath ubenchmark:jmh Evidence Type Source Name Value Confidence Vendor pom groupid net.sf.jopt-simple Highest Vendor pom name JOpt Simple High Vendor gradle groupid net.sf.jopt-simple Highest Vendor file name jopt-simple High Vendor pom url http://pholser.github.com/jopt-simple Highest Vendor pom artifactid jopt-simple Low Vendor jar package name joptsimple Low Product gradle artifactid jopt-simple Highest Product pom groupid net.sf.jopt-simple Highest Product pom name JOpt Simple High Product pom url http://pholser.github.com/jopt-simple Medium Product pom artifactid jopt-simple Highest Product file name jopt-simple High Version gradle version 4.6 Highest Version file version 4.6 High Version pom version 4.6 Highest
jopt-simple-5.0.4.jarDescription:
A Java library for parsing command line options License:
The MIT License: http://www.opensource.org/licenses/mit-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.jopt-simple/jopt-simple/5.0.4/4fdac2fbe92dfad86aa6e9301736f6b4342a3f5c/jopt-simple-5.0.4.jar
MD5: eb0d9dffe9b0eddead68fe678be76c49
SHA1: 4fdac2fbe92dfad86aa6e9301736f6b4342a3f5c
SHA256: df26cc58f235f477db07f753ba5a3ab243ebe5789d9f89ecf68dd62ea9a66c28
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname net.sf.jopt-simple.jopt-simple Medium Vendor pom groupid net.sf.jopt-simple Highest Vendor pom name JOpt Simple High Vendor pom url http://jopt-simple.github.io/jopt-simple Highest Vendor gradle groupid net.sf.jopt-simple Highest Vendor file name jopt-simple High Vendor pom artifactid jopt-simple Low Product Manifest bundle-symbolicname net.sf.jopt-simple.jopt-simple Medium Product gradle artifactid jopt-simple Highest Product pom groupid net.sf.jopt-simple Highest Product pom name JOpt Simple High Product Manifest Bundle-Name jopt-simple Medium Product pom artifactid jopt-simple Highest Product pom url http://jopt-simple.github.io/jopt-simple Medium Product file name jopt-simple High Version file version 5.0.4 High Version Manifest Bundle-Version 5.0.4 High Version gradle version 5.0.4 Highest Version pom version 5.0.4 Highest
jsch-0.1.54.jarDescription:
JSch is a pure Java implementation of SSH2 License:
Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jcraft/jsch/0.1.54/da3584329a263616e277e15462b387addd1b208d/jsch-0.1.54.jar
MD5: 56a6c6fc5819e21c665355b39b9097d8
SHA1: da3584329a263616e277e15462b387addd1b208d
SHA256: 92eb273a3316762478fdd4fe03a0ce1842c56f496c9c12fe1235db80450e1fdb
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath piglet:default Evidence Type Source Name Value Confidence Vendor pom organization name JCraft,Inc. High Vendor pom organization url http://www.jcraft.com/ Medium Vendor pom artifactid jsch Low Vendor file name jsch High Vendor jar package name jcraft Highest Vendor jar package name jsch Highest Vendor jar package name jcraft Low Vendor pom name JSch High Vendor pom groupid jcraft Highest Vendor gradle groupid com.jcraft Highest Vendor jar package name jsch Low Vendor pom url http://www.jcraft.com/jsch/ Highest Product pom organization name JCraft,Inc. Low Product pom url http://www.jcraft.com/jsch/ Medium Product jar package name jsch Highest Product pom name JSch High Product file name jsch High Product pom groupid jcraft Highest Product jar package name jcraft Highest Product pom organization url http://www.jcraft.com/ Low Product jar package name jsch Low Product gradle artifactid jsch Highest Product pom artifactid jsch Highest Version gradle version 0.1.54 Highest Version pom version 0.1.54 Highest Version file version 0.1.54 High
json-path-2.4.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.4.0/765a4401ceb2dc8d40553c2075eb80a8fa35c2ae/json-path-2.4.0.jarMD5: 29169b4b1115bc851e5734ef35ecd42aSHA1: 765a4401ceb2dc8d40553c2075eb80a8fa35c2aeSHA256: 60441c74fb64e5a480070f86a604941927aaf684e2b513d780fb7a38fb4c5639Referenced In Projects/Scopes:
babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name jayway Highest Vendor jar package name internal Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor jar package name jayway Low Vendor gradle groupid com.jayway.jsonpath Highest Vendor jar package name jsonpath Highest Vendor file name json-path High Vendor Manifest bundle-symbolicname com.jayway.jsonpath.json-path Medium Vendor jar package name jsonpath Low Product jar package name jayway Highest Product jar package name internal Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest Bundle-Name json-path Medium Product Manifest Implementation-Title json-path High Product file name json-path High Product gradle artifactid json-path Highest Product jar package name jsonpath Highest Product jar package name filter Highest Product jar package name path Highest Product jar package name json Highest Product Manifest bundle-symbolicname com.jayway.jsonpath.json-path Medium Product jar package name jsonpath Low Version Manifest Implementation-Version 2.4.0 High Version file version 2.4.0 High
json-smart-2.3.jarDescription:
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.3/7396407491352ce4fa30de92efb158adb76b5b/json-smart-2.3.jar
MD5: f2a921d4baaa7308de04eed4d8d72715
SHA1: 007396407491352ce4fa30de92efb158adb76b5b
SHA256: 903f48c8aa4c3f6426440b8d32de89fa1dc23b1169abde25e4e1d068aa67708b
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name net Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor jar package name parser Highest Vendor pom groupid net.minidev Highest Vendor Manifest bundle-symbolicname net.minidev.json-smart Medium Vendor pom url http://www.minidev.net/ Highest Vendor jar package name minidev Highest Vendor pom artifactid json-smart Low Vendor pom organization name Chemouni Uriel High Vendor file name json-smart High Vendor pom organization url http://www.minidev.net/ Medium Vendor pom name JSON Small and Fast Parser High Vendor gradle groupid net.minidev Highest Vendor jar package name json Highest Vendor Manifest bundle-docurl http://www.minidev.net/ Low Vendor pom parent-artifactid minidev-parent Low Product pom organization url http://www.minidev.net/ Low Product jar package name net Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom organization name Chemouni Uriel Low Product jar package name parser Highest Product pom groupid net.minidev Highest Product Manifest bundle-symbolicname net.minidev.json-smart Medium Product gradle artifactid json-smart Highest Product jar package name minidev Highest Product Manifest Bundle-Name json-smart Medium Product pom artifactid json-smart Highest Product pom parent-artifactid minidev-parent Medium Product file name json-smart High Product pom name JSON Small and Fast Parser High Product pom url http://www.minidev.net/ Medium Product jar package name json Highest Product Manifest bundle-docurl http://www.minidev.net/ Low Version gradle version 2.3 Highest Version Manifest Bundle-Version 2.3 High Version file version 2.3 High Version pom version 2.3 Highest
json4s-ast_2.10-3.2.11.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.json4s/json4s-ast_2.10/3.2.11/49ab60e86a2c3508d3d45a04dca6dfe173492fcf/json4s-ast_2.10-3.2.11.jarMD5: ab23d8bffc4c38d138032dea39731f26SHA1: 49ab60e86a2c3508d3d45a04dca6dfe173492fcfSHA256: d445537674ce45a2f731bcf7bbb3b9ada04be1690d0d692e26e3090cf70359e4Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name json4s Highest Vendor Manifest Implementation-Vendor org.json4s High Vendor file name json4s-ast_2.10-3.2.11 High Vendor Manifest Implementation-Vendor-Id org.json4s Medium Vendor Manifest specification-vendor org.json4s Low Vendor gradle groupid org.json4s Highest Vendor Manifest implementation-url https://github.com/json4s/json4s Low Vendor jar package name json4s Low Product jar package name json4s Highest Product gradle artifactid json4s-ast_2.10 Highest Product file name json4s-ast_2.10-3.2.11 High Product Manifest Implementation-Title json4s-ast High Product Manifest specification-title json4s-ast Medium Product Manifest implementation-url https://github.com/json4s/json4s Low Version jar package name json4s Highest Version gradle version 3.2.11 Highest Version Manifest Implementation-Version 3.2.11 High
json4s-core_2.10-3.2.11.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.json4s/json4s-core_2.10/3.2.11/dabb704ffdb3ede596e8df39959d092e1bab8816/json4s-core_2.10-3.2.11.jarMD5: 7ebc37c9ee52320be85941ad16824fb0SHA1: dabb704ffdb3ede596e8df39959d092e1bab8816SHA256: bd4dd33875bb7297736e261e345fa2892db37c89e0e79fa8c69a05fbe4e9eb5eReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name json4s Highest Vendor Manifest Implementation-Vendor org.json4s High Vendor Manifest Implementation-Vendor-Id org.json4s Medium Vendor file name json4s-core_2.10-3.2.11 High Vendor Manifest specification-vendor org.json4s Low Vendor gradle groupid org.json4s Highest Vendor Manifest implementation-url https://github.com/json4s/json4s Low Vendor jar package name json4s Low Product jar package name json4s Highest Product Manifest Implementation-Title json4s-core High Product gradle artifactid json4s-core_2.10 Highest Product file name json4s-core_2.10-3.2.11 High Product Manifest specification-title json4s-core Medium Product Manifest implementation-url https://github.com/json4s/json4s Low Version jar package name json4s Highest Version gradle version 3.2.11 Highest Version Manifest Implementation-Version 3.2.11 High
json4s-jackson_2.10-3.2.11.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.json4s/json4s-jackson_2.10/3.2.11/c91b7c1c01d49ccccc1e715bb651440c8cd105f2/json4s-jackson_2.10-3.2.11.jarMD5: 89fa356909c5ca4884de0fb2de07ce10SHA1: c91b7c1c01d49ccccc1e715bb651440c8cd105f2SHA256: 22e20ac162302b6f2fcc84b6c3a7205d43c7b8b51bae568c3e5e223de7c5275aReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name json4s Highest Vendor Manifest Implementation-Vendor org.json4s High Vendor Manifest Implementation-Vendor-Id org.json4s Medium Vendor file name json4s-jackson_2.10-3.2.11 High Vendor Manifest specification-vendor org.json4s Low Vendor gradle groupid org.json4s Highest Vendor jar package name jackson Low Vendor Manifest implementation-url https://github.com/json4s/json4s Low Vendor jar package name json4s Low Product jar package name json4s Highest Product gradle artifactid json4s-jackson_2.10 Highest Product Manifest Implementation-Title json4s-jackson High Product Manifest specification-title json4s-jackson Medium Product file name json4s-jackson_2.10-3.2.11 High Product jar package name jackson Low Product jar package name jackson Highest Product Manifest implementation-url https://github.com/json4s/json4s Low Version jar package name json4s Highest Version gradle version 3.2.11 Highest Version Manifest Implementation-Version 3.2.11 High
jsoup-1.11.3.jarDescription:
jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do. License:
The MIT License: https://jsoup.org/license File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jsoup/jsoup/1.11.3/36da09a8f68484523fa2aaa100399d612b247d67/jsoup-1.11.3.jar
MD5: 4735085c4a37313b00887dd0a0f99813
SHA1: 36da09a8f68484523fa2aaa100399d612b247d67
SHA256: df2c71a4240ecbdae7cdcd1667bcf0d747e4e3dcefe8161e787adcff7e5f2fa0
Referenced In Projects/Scopes: file:compileClasspath file:runtimeClasspath calcite:sqllineClasspath csv:runtimeClasspath file:default csv:default Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname org.jsoup Medium Vendor pom organization name Jonathan Hedley High Vendor jar package name parser Highest Vendor gradle groupid org.jsoup Highest Vendor pom artifactid jsoup Low Vendor jar package name jsoup Highest Vendor Manifest automatic-module-name org.jsoup Medium Vendor pom url https://jsoup.org/ Highest Vendor pom groupid jsoup Highest Vendor pom name jsoup Java HTML Parser High Vendor file name jsoup High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor Manifest bundle-docurl https://jsoup.org/ Low Vendor pom organization url http://jonathanhedley.com/ Medium Product Manifest bundle-symbolicname org.jsoup Medium Product jar package name parser Highest Product jar package name jsoup Highest Product pom url https://jsoup.org/ Medium Product Manifest automatic-module-name org.jsoup Medium Product pom groupid jsoup Highest Product pom organization url http://jonathanhedley.com/ Low Product Manifest Bundle-Name jsoup Java HTML Parser Medium Product pom name jsoup Java HTML Parser High Product file name jsoup High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product pom organization name Jonathan Hedley Low Product Manifest bundle-docurl https://jsoup.org/ Low Product gradle artifactid jsoup Highest Product pom artifactid jsoup Highest Version pom version 1.11.3 Highest Version file version 1.11.3 High Version gradle version 1.11.3 Highest Version Manifest Bundle-Version 1.11.3 High
jsp-2.1-6.1.14.jarDescription:
JSP2.1 Jasper implementation from Glassfish License:
CDDL 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jsp-2.1/6.1.14/3a1df1e8e0fa56e9a940abbd19bc6f397fce16b5/jsp-2.1-6.1.14.jar
MD5: 07aaf43ccf8bdbb5f205de106cd6cf9d
SHA1: 3a1df1e8e0fa56e9a940abbd19bc6f397fce16b5
SHA256: d954dad8aa71f2699f3590333e8c9b8d8fc1ea2c59d76035193b8ff2af05d63f
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name org Highest Vendor pom artifactid jsp-2.1 Low Vendor jar package name jasper Highest Vendor pom parent-artifactid project Low Vendor pom name Glassfish Jasper High Vendor Manifest mode development Low Vendor pom groupid mortbay.jetty Highest Vendor Manifest bundle-docurl http://www.mortbay.com Low Vendor file name jsp-2.1-6.1.14 High Vendor pom parent-groupid org.mortbay.jetty Medium Vendor Manifest url http://jetty.mortbay.org/project/modules/jsp-2.1 Low Vendor Manifest bundle-symbolicname org.mortbay.jetty.jsp-2.1 Medium Vendor Manifest originally-created-by 1.5.0_16 (Apple Inc.) Low Vendor gradle groupid org.mortbay.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product jar package name org Highest Product Manifest Bundle-Name Glassfish Jasper Medium Product jar package name jasper Highest Product gradle artifactid jsp-2.1 Highest Product pom name Glassfish Jasper High Product Manifest mode development Low Product pom groupid mortbay.jetty Highest Product Manifest bundle-docurl http://www.mortbay.com Low Product file name jsp-2.1-6.1.14 High Product pom parent-groupid org.mortbay.jetty Medium Product pom artifactid jsp-2.1 Highest Product Manifest url http://jetty.mortbay.org/project/modules/jsp-2.1 Low Product Manifest bundle-symbolicname org.mortbay.jetty.jsp-2.1 Medium Product Manifest originally-created-by 1.5.0_16 (Apple Inc.) Low Product pom parent-artifactid project Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Version Manifest implementation-version 6.1.14 High Version gradle version 6.1.14 Highest Version Manifest Bundle-Version 6.1.14 High Version pom version 6.1.14 Highest
Published Vulnerabilities CVE-2009-1523 suppress
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-1524 suppress
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4609 suppress
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4610 suppress
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4611 suppress
Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application. CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2009-4612 suppress
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-5048 suppress
Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2009-5049 suppress
WebApp JSP Snoop page XSS in jetty though 6.1.21. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2011-4461 suppress
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
jsp-api-2.1-6.1.14.jarDescription:
JSP2.1 API License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/jsp-api-2.1/6.1.14/756b3fac155e31bd0e85545dbf953495e0455c73/jsp-api-2.1-6.1.14.jar
MD5: 65d8baf855d2ce15d5f3243ef3d232ef
SHA1: 756b3fac155e31bd0e85545dbf953495e0455c73
SHA256: dbe60706e1a2f3e3e3785b287d78b527b6f41aa637eccda4e3c384176c35a405
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname org.mortbay.jetty.jsp-api-2.1 Medium Vendor pom parent-artifactid project Low Vendor jar package name jsp Highest Vendor Manifest mode development Low Vendor pom groupid mortbay.jetty Highest Vendor Manifest bundle-docurl http://www.mortbay.com Low Vendor Manifest url http://jetty.mortbay.org/project/modules/jsp-api-2.1 Low Vendor Manifest Implementation-Vendor JCP High Vendor pom parent-groupid org.mortbay.jetty Medium Vendor Manifest originally-created-by 1.5.0_16 (Apple Inc.) Low Vendor gradle groupid org.mortbay.jetty Highest Vendor pom artifactid jsp-api-2.1 Low Vendor file name jsp-api-2.1-6.1.14 High Vendor pom name Glassfish Jasper API High Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product gradle artifactid jsp-api-2.1 Highest Product Manifest bundle-symbolicname org.mortbay.jetty.jsp-api-2.1 Medium Product Manifest Bundle-Name Glassfish Jasper API Medium Product jar package name jsp Highest Product Manifest mode development Low Product pom groupid mortbay.jetty Highest Product Manifest bundle-docurl http://www.mortbay.com Low Product Manifest url http://jetty.mortbay.org/project/modules/jsp-api-2.1 Low Product pom parent-groupid org.mortbay.jetty Medium Product Manifest originally-created-by 1.5.0_16 (Apple Inc.) Low Product pom parent-artifactid project Medium Product pom artifactid jsp-api-2.1 Highest Product file name jsp-api-2.1-6.1.14 High Product pom name Glassfish Jasper API High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Version Manifest implementation-version 6.1.14 High Version gradle version 6.1.14 Highest Version pom version 6.1.14 Highest
Published Vulnerabilities CVE-2009-1523 suppress
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-1524 suppress
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4609 suppress
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4610 suppress
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4611 suppress
Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application. CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2009-4612 suppress
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-5048 suppress
Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2009-5049 suppress
WebApp JSP Snoop page XSS in jetty though 6.1.21. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2011-4461 suppress
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
jsp-api-2.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.servlet.jsp/jsp-api/2.1/63f943103f250ef1f3a4d5e94d145a0f961f5316/jsp-api-2.1.jarMD5: b8a34113a3a1ce29c8c60d7141f5a704SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316SHA256: 545f4e7dc678ffb4cf8bd0fd40b4a4470a409a787c0ea7d0ad2f08d56112987bReferenced In Projects/Scopes:
piglet:runtimeClasspath calcite:sqllineClasspath spark:default piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest specification-vendor Sun Microsystems, Inc. Low Vendor jar package name servlet Highest Vendor Manifest Implementation-Vendor Sun Microsystems, Inc. High Vendor jar package name jsp Highest Vendor jar package name javax Low Vendor Manifest extension-name javax.servlet.jsp Medium Vendor jar package name javax Highest Vendor jar package name servlet Low Vendor jar package name jsp Low Vendor file name jsp-api High Vendor gradle groupid javax.servlet.jsp Highest Vendor Manifest Implementation-Vendor-Id org.apache Medium Product Manifest specification-title JavaServer Pages(TM) Specification Medium Product jar package name servlet Highest Product jar package name el Low Product Manifest extension-name javax.servlet.jsp Medium Product jar package name javax Highest Product jar package name servlet Low Product jar package name jsp Low Product file name jsp-api High Product jar package name jsp Highest Product gradle artifactid jsp-api Highest Version Manifest Implementation-Version 2.1 High Version file version 2.1 High
jsqlparser-3.1.jarDescription:
JSqlParser parses an SQL statement and translate it into a hierarchy of Java classes.
The generated hierarchy can be navigated using the Visitor Pattern. License:
GNU Library or Lesser General Public License (LGPL) V2.1: http://www.gnu.org/licenses/lgpl-2.1.html
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.jsqlparser/jsqlparser/3.1/b8f2f838923317fb2bbd18a5e7850bb91a88330e/jsqlparser-3.1.jar
MD5: 7a5a8dbca36efdde5e438454ed9875a8
SHA1: b8f2f838923317fb2bbd18a5e7850bb91a88330e
SHA256: fd0a337376be3bf35194670c219eeb01e92faa15d78e3bc90ef3721bccdcf894
Referenced In Projects/Scopes: innodb:compileClasspath innodb:runtimeClasspath calcite:sqllineClasspath innodb:default Evidence Type Source Name Value Confidence Vendor jar package name jsqlparser Highest Vendor Manifest bundle-symbolicname com.github.jsqlparser Medium Vendor pom artifactid jsqlparser Low Vendor file name jsqlparser High Vendor pom url JSQLParser/JSqlParser Highest Vendor gradle groupid com.github.jsqlparser Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor jar package name statement Highest Vendor pom groupid github.jsqlparser Highest Vendor pom name JSQLParser library High Vendor pom organization name JSQLParser High Product file name jsqlparser High Product jar package name statement Highest Product Manifest Bundle-Name JSQLParser library Medium Product pom organization name JSQLParser Low Product pom artifactid jsqlparser Highest Product jar package name jsqlparser Highest Product pom url JSQLParser/JSqlParser High Product Manifest bundle-symbolicname com.github.jsqlparser Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product pom groupid github.jsqlparser Highest Product gradle artifactid jsqlparser Highest Product pom name JSQLParser library High Version file version 3.1 High Version pom version 3.1 Highest Version gradle version 3.1 Highest
jsr305-3.0.2.jarDescription:
JSR305 Annotations for Findbugs License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.code.findbugs/jsr305/3.0.2/25ea2e8b0c338a877313bd4672d3fe056ea78f0d/jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256: 766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath splunk:checkstyle calcite:checkstyle piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath function:checkstyle server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:checkstyle druid:compileClasspath plus:compileClasspath csv:checkstyle linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath core:checkstyle function:default file:compileClasspath core:implementationDependenciesMetadata file:checkstyle kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default geode:checkstyle kafka:compileClasspath druid:runtimeClasspath mongodb:checkstyle elasticsearch:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle mongodb:default cassandra:default innodb:checkstyle cassandra:checkstyle piglet:checkstyle bom:checkstyle babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath spark:checkstyle plus:checkstyle core:default function:compileClasspath pig:checkstyle elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath server:checkstyle csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath release:checkstyle file:default server:default kafka:checkstyle ubenchmark:checkstyle ubenchmark:jmhCompileClasspath example:checkstyle pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid jsr305 Low Vendor gradle groupid com.google.code.findbugs Highest Vendor Manifest bundle-symbolicname org.jsr-305 Medium Vendor pom url http://findbugs.sourceforge.net/ Highest Vendor pom name FindBugs-jsr305 High Vendor pom groupid google.code.findbugs Highest Vendor file name jsr305 High Product pom artifactid jsr305 Highest Product Manifest bundle-symbolicname org.jsr-305 Medium Product Manifest Bundle-Name FindBugs-jsr305 Medium Product pom url http://findbugs.sourceforge.net/ Medium Product gradle artifactid jsr305 Highest Product pom name FindBugs-jsr305 High Product pom groupid google.code.findbugs Highest Product file name jsr305 High Version Manifest Bundle-Version 3.0.2 High Version gradle version 3.0.2 Highest Version pom version 3.0.2 Highest Version file version 3.0.2 High
jul-to-slf4j-1.7.16.jarDescription:
JUL to SLF4J bridge File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/jul-to-slf4j/1.7.16/2d5b546c5557dcbf08c3a381d7dc9bd275a602c1/jul-to-slf4j-1.7.16.jarMD5: 228ccd417ce9b7b6dcd78e8fee1a8ca0SHA1: 2d5b546c5557dcbf08c3a381d7dc9bd275a602c1SHA256: a67d98d27bfcbc120e0efbf47cf07fab85cb32b6b274d43257a29fa14bb659d0Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name JUL to SLF4J bridge High Vendor jar package name bridge Highest Vendor pom url http://www.slf4j.org Highest Vendor pom groupid slf4j Highest Vendor Manifest bundle-symbolicname jul.to.slf4j Medium Vendor gradle groupid org.slf4j Highest Vendor jar package name slf4j Highest Vendor pom parent-groupid org.slf4j Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor pom parent-artifactid slf4j-parent Low Vendor file name jul-to-slf4j High Vendor pom artifactid jul-to-slf4j Low Product pom name JUL to SLF4J bridge High Product gradle artifactid jul-to-slf4j Highest Product pom url http://www.slf4j.org Medium Product jar package name bridge Highest Product pom groupid slf4j Highest Product Manifest bundle-symbolicname jul.to.slf4j Medium Product pom parent-artifactid slf4j-parent Medium Product jar package name slf4j Highest Product pom artifactid jul-to-slf4j Highest Product pom parent-groupid org.slf4j Medium Product Manifest Bundle-Name jul-to-slf4j Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product file name jul-to-slf4j High Version Manifest Bundle-Version 1.7.16 High Version pom version 1.7.16 Highest Version gradle version 1.7.16 Highest Version file version 1.7.16 High Version Manifest Implementation-Version 1.7.16 High
junit-4.12.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jarMD5: 5b38c40c97fbd0adee29f91e60405584SHA1: 2973d150c0dc1fefe998f834810d68f278ea58ecSHA256: 59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116aReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name junit Low Vendor gradle groupid junit Highest Vendor Manifest Implementation-Vendor-Id junit Medium Vendor Manifest Implementation-Vendor JUnit High Vendor jar package name junit Highest Vendor file name junit High Product gradle artifactid junit Highest Product jar package name junit Highest Product Manifest Implementation-Title JUnit High Product file name junit High Version Manifest Implementation-Version 4.12 High Version file version 4.12 High
Published Vulnerabilities CVE-2020-15250 suppress
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory. CWE-200 Information Exposure
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
kafka-clients-2.1.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.kafka/kafka-clients/2.1.1/a7b72831768ccfd69128385130409ae1a0e52f5f/kafka-clients-2.1.1.jarMD5: d61a86d65d977b8f7d7b73b9659f579bSHA1: a7b72831768ccfd69128385130409ae1a0e52f5fSHA256: d5c1ed6e23e815fe43c0f050ef0651110b9e9b59cfc4d86e50bf7cc084132a93Referenced In Projects/Scopes:
kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.kafka Highest Vendor file name kafka-clients High Vendor jar package name apache Low Vendor jar package name kafka Low Vendor jar package name common Low Product file name kafka-clients High Product gradle artifactid kafka-clients Highest Product jar package name kafka Low Product jar package name common Low Version gradle version 2.1.1 Highest Version file version 2.1.1 High Version file name kafka-clients Medium
Published Vulnerabilities CVE-2019-12399 suppress
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. CWE-319 Cleartext Transmission of Sensitive Information
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
kfs-0.3.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.kosmosfs/kfs/0.3/20fcbc065182bdcd706c90a2eb383ae70eb5b223/kfs-0.3.jarMD5: 791eb58893dc1335c8968b93d2f70fe6SHA1: 20fcbc065182bdcd706c90a2eb383ae70eb5b223SHA256: 1807cbffb6c8876cf440b8f7d748fff49cea40ddd2d042bbb62bae3c87ba8842Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid net.sf.kosmosfs Highest Vendor jar package name access Low Vendor file name kfs High Vendor jar package name kosmix Highest Vendor jar package name kosmix Low Vendor manifest: org/kosmos Implementation-Vendor Kosmix Medium Vendor jar package name kosmosfs Low Product jar package name access Low Product gradle artifactid kfs Highest Product file name kfs High Product manifest: org/kosmos Implementation-Title KFS Medium Product jar package name kosmosfs Low Version manifest: org/kosmos Implementation-Version 0.3 Medium Version file name kfs Medium Version gradle version 0.3 Highest Version file version 0.3 High
kotlin-compiler-embeddable-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.3.50/1251c1768e5769b06c2487d6f6cf8acf6efb8960/kotlin-compiler-embeddable-1.3.50.jarMD5: 92532617314cbc6aaedab9624912cce3SHA1: 1251c1768e5769b06c2487d6f6cf8acf6efb8960SHA256: 00684f6e1f08c639d4476170fc0d1a2ab04414c8383513e241adc76afeead1faReferenced In Project/Scope: core:kotlinCompilerClasspath
Evidence Type Source Name Value Confidence Vendor jar package name kotlin Low Vendor jar package name jetbrains Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor file name kotlin-compiler-embeddable High Vendor Manifest Implementation-Vendor JetBrains High Vendor jar package name jetbrains Highest Product Manifest Implementation-Title kotlin-compiler-embeddable High Product jar package name kotlin Low Product jar package name compiler Highest Product file name kotlin-compiler-embeddable High Product gradle artifactid kotlin-compiler-embeddable Highest Product jar package name kotlin Highest Version file name kotlin-compiler-embeddable Medium Version file version 1.3.50 High Version gradle version 1.3.50 Highest Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-compiler-embeddable-1.3.50.jar: jansi.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.3.50/1251c1768e5769b06c2487d6f6cf8acf6efb8960/kotlin-compiler-embeddable-1.3.50.jar/META-INF/native/windows32/jansi.dllMD5: 11656f6f0800535dc79259a4299f9b36SHA1: 53877c745604e1489fbd7671646f3b1d4e7e2316SHA256: 57e149395d70908f47206be96e03414631ab0036b8f1edb2ec29510e54512157Referenced In Project/Scope: core:kotlinCompilerClasspath
Evidence Type Source Name Value Confidence Vendor file name jansi High Product file name jansi High
kotlin-compiler-embeddable-1.3.50.jar: jansi.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable/1.3.50/1251c1768e5769b06c2487d6f6cf8acf6efb8960/kotlin-compiler-embeddable-1.3.50.jar/META-INF/native/windows64/jansi.dllMD5: d5beb4ff523696be6d23c34a0a78fbe6SHA1: 558aea23a4ea0f6e6824b8cd4d2b0ecb9a154f37SHA256: 3d74c12f1984b220e46456398a3890750e6aa1cc2b4102f9f8a0c0c21338d72cReferenced In Project/Scope: core:kotlinCompilerClasspath
Evidence Type Source Name Value Confidence Vendor file name jansi High Product file name jansi High
kotlin-daemon-embeddable-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-daemon-embeddable/1.3.50/5cb93bb33f4c6f833ead0beca4c831668e00cf52/kotlin-daemon-embeddable-1.3.50.jarMD5: 021a81e41dee359c0c39bc2d2e857a9eSHA1: 5cb93bb33f4c6f833ead0beca4c831668e00cf52SHA256: c7b1b872e04a6fdfcfb1d0451de8a49f9900608bae93f9120c35bbcde2d911faReferenced In Project/Scope: core:kotlinCompilerClasspath
Evidence Type Source Name Value Confidence Vendor file name kotlin-daemon-embeddable High Vendor jar package name kotlin Low Vendor jar package name jetbrains Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor Manifest Implementation-Vendor JetBrains High Vendor jar package name jetbrains Highest Vendor jar package name daemon Low Product file name kotlin-daemon-embeddable High Product jar package name kotlin Low Product jar package name daemon Highest Product gradle artifactid kotlin-daemon-embeddable Highest Product jar package name common Low Product jar package name kotlin Highest Product jar package name daemon Low Product Manifest Implementation-Title kotlin-daemon-embeddable High Version file version 1.3.50 High Version gradle version 1.3.50 Highest Version file name kotlin-daemon-embeddable Medium Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-reflect-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.50/b499f22fd7c3e9c2e5b6c4005221fa47fc7f9a7a/kotlin-reflect-1.3.50.jarMD5: ab10cf971cb586b95fd5c88eef8668a1SHA1: b499f22fd7c3e9c2e5b6c4005221fa47fc7f9a7aSHA256: 64583199ea5a54aefd1bd1595288925f784226ee562d1dd279011c6075b3d7a4Referenced In Projects/Scopes:
core:kotlinCompilerClasspath core:kotlinCompilerPluginClasspath Evidence Type Source Name Value Confidence Vendor Manifest kotlin-runtime-component Main Low Vendor jar package name kotlin Low Vendor file name kotlin-reflect High Vendor jar package name reflect Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor Manifest Implementation-Vendor JetBrains High Vendor jar package name jvm Low Product jar package name internal Low Product Manifest kotlin-runtime-component Main Low Product file name kotlin-reflect High Product Manifest Implementation-Title kotlin-reflect High Product jar package name reflect Low Product jar package name reflect Highest Product jar package name kotlin Highest Product jar package name jvm Low Product gradle artifactid kotlin-reflect Highest Version file version 1.3.50 High Version file name kotlin-reflect Medium Version Manifest kotlin-version 1.3 Medium Version gradle version 1.3.50 Highest Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-script-runtime-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-script-runtime/1.3.50/59492b8dfb92522ba0ddb5dd1c4d0ef0a4fca1af/kotlin-script-runtime-1.3.50.jarMD5: eb1e5b6c3193db19024efae302d12d62SHA1: 59492b8dfb92522ba0ddb5dd1c4d0ef0a4fca1afSHA256: 7ff70c52bf062afbe0a0e78962a9b92b89b0cf4a47a481d24037257e56fb7e4cReferenced In Projects/Scopes:
core:kotlinCompilerClasspath core:kotlinCompilerPluginClasspath Evidence Type Source Name Value Confidence Vendor Manifest kotlin-runtime-component Main Low Vendor jar package name kotlin Low Vendor file name kotlin-script-runtime High Vendor gradle groupid org.jetbrains.kotlin Highest Vendor jar package name script Low Vendor Manifest Implementation-Vendor JetBrains High Product Manifest kotlin-runtime-component Main Low Product jar package name dependencies Low Product Manifest Implementation-Title kotlin-script-runtime High Product file name kotlin-script-runtime High Product jar package name script Low Product jar package name script Highest Product gradle artifactid kotlin-script-runtime Highest Product jar package name kotlin Highest Version file name kotlin-script-runtime Medium Version file version 1.3.50 High Version Manifest kotlin-version 1.3 Medium Version gradle version 1.3.50 Highest Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-scripting-common-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-common/1.3.50/b8e0110c386c08f46a8c5e45b8c64aece1914867/kotlin-scripting-common-1.3.50.jarMD5: c6920f2a3588acabb2bd2c59ed7fa01bSHA1: b8e0110c386c08f46a8c5e45b8c64aece1914867SHA256: dd16d71ee2f2f0f3e53cb7f32b30cc9fa1d457ad7d5f428d15a9638c1cc983fcReferenced In Project/Scope: core:kotlinCompilerPluginClasspath
Evidence Type Source Name Value Confidence Vendor file name kotlin-scripting-common High Vendor jar package name kotlin Low Vendor jar package name experimental Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor jar package name script Low Vendor Manifest Implementation-Vendor JetBrains High Product file name kotlin-scripting-common High Product gradle artifactid kotlin-scripting-common Highest Product jar package name api Low Product Manifest Implementation-Title kotlin-scripting-common High Product jar package name experimental Low Product jar package name script Low Product jar package name kotlin Highest Version file version 1.3.50 High Version file name kotlin-scripting-common Medium Version gradle version 1.3.50 Highest Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-scripting-compiler-embeddable-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-compiler-embeddable/1.3.50/8cf679fe2d8cd6fa57e9ca4ca46222d5477f077c/kotlin-scripting-compiler-embeddable-1.3.50.jarMD5: 7489de341bef9c44ae38d16b5f2eed8cSHA1: 8cf679fe2d8cd6fa57e9ca4ca46222d5477f077cSHA256: baa76bdc840a1b7ffc88c5d6e327b75a37118a44e60deae56d71d408fd1c8ac5Referenced In Project/Scope: core:kotlinCompilerPluginClasspath
Evidence Type Source Name Value Confidence Vendor jar package name kotlin Low Vendor jar package name scripting Low Vendor jar package name jetbrains Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor Manifest Implementation-Vendor JetBrains High Vendor jar package name jetbrains Highest Vendor file name kotlin-scripting-compiler-embeddable High Product jar package name kotlin Low Product jar package name scripting Low Product jar package name compiler Highest Product gradle artifactid kotlin-scripting-compiler-embeddable Highest Product Manifest Implementation-Title kotlin-scripting-compiler-embeddable High Product jar package name compiler Low Product file name kotlin-scripting-compiler-embeddable High Product jar package name kotlin Highest Product jar package name scripting Highest Version file version 1.3.50 High Version gradle version 1.3.50 Highest Version file name kotlin-scripting-compiler-embeddable Medium Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-scripting-compiler-impl-embeddable-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-compiler-impl-embeddable/1.3.50/cc87aae13b61cdcf296ac9416b464e44f27b6dc4/kotlin-scripting-compiler-impl-embeddable-1.3.50.jarMD5: 2140667346491cf9f1e827f2362eab16SHA1: cc87aae13b61cdcf296ac9416b464e44f27b6dc4SHA256: 4ab8accc2bff60ae6d767f7e96036f0f8807e21bf758362e023e3ea57c4e490fReferenced In Project/Scope: core:kotlinCompilerPluginClasspath
Evidence Type Source Name Value Confidence Vendor jar package name kotlin Low Vendor jar package name scripting Low Vendor jar package name jetbrains Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor file name kotlin-scripting-compiler-impl-embeddable High Vendor Manifest Implementation-Vendor JetBrains High Vendor jar package name jetbrains Highest Product jar package name kotlin Low Product jar package name definitions Low Product jar package name scripting Low Product gradle artifactid kotlin-scripting-compiler-impl-embeddable Highest Product Manifest Implementation-Title kotlin-scripting-compiler-impl-embeddable High Product file name kotlin-scripting-compiler-impl-embeddable High Product jar package name kotlin Highest Product jar package name scripting Highest Version file version 1.3.50 High Version gradle version 1.3.50 Highest Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High Version file name kotlin-scripting-compiler-impl-embeddable Medium
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-scripting-jvm-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-scripting-jvm/1.3.50/53f579e1bee3dab3df915d923ad1bb43bc37cd18/kotlin-scripting-jvm-1.3.50.jarMD5: 3a5ae5237add447bb605480b6c634dd1SHA1: 53f579e1bee3dab3df915d923ad1bb43bc37cd18SHA256: fa6fa1b78ae0d3e6f950143567cc207e03b64ce6cba842c5149a5226a784c0c2Referenced In Project/Scope: core:kotlinCompilerPluginClasspath
Evidence Type Source Name Value Confidence Vendor jar package name kotlin Low Vendor file name kotlin-scripting-jvm High Vendor jar package name experimental Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor jar package name script Low Vendor Manifest Implementation-Vendor JetBrains High Product file name kotlin-scripting-jvm High Product gradle artifactid kotlin-scripting-jvm Highest Product jar package name jvm Highest Product jar package name experimental Low Product Manifest Implementation-Title kotlin-scripting-jvm High Product jar package name script Low Product jar package name kotlin Highest Product jar package name jvm Low Version file version 1.3.50 High Version file name kotlin-scripting-jvm Medium Version gradle version 1.3.50 Highest Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-stdlib-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.50/b529d1738c7e98bbfa36a4134039528f2ce78ebf/kotlin-stdlib-1.3.50.jarMD5: 99ff15c1ebad291873bb7d93a27ff0f2SHA1: b529d1738c7e98bbfa36a4134039528f2ce78ebfSHA256: e6f05746ee0366d0b52825a090fac474dcf44082c9083bbb205bd16976488d6cReferenced In Projects/Scopes:
core:kotlinCompilerClasspath core:kotlinCompilerPluginClasspath Evidence Type Source Name Value Confidence Vendor Manifest kotlin-runtime-component Main Low Vendor jar package name kotlin Low Vendor gradle groupid org.jetbrains.kotlin Highest Vendor Manifest Implementation-Vendor JetBrains High Vendor file name kotlin-stdlib High Product Manifest kotlin-runtime-component Main Low Product gradle artifactid kotlin-stdlib Highest Product Manifest Implementation-Title kotlin-stdlib High Product jar package name kotlin Highest Product file name kotlin-stdlib High Version file version 1.3.50 High Version Manifest kotlin-version 1.3 Medium Version gradle version 1.3.50 Highest Version file name kotlin-stdlib Medium Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlin-stdlib-common-1.3.50.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-common/1.3.50/3d9cd3e1bc7b92e95f43d45be3bfbcf38e36ab87/kotlin-stdlib-common-1.3.50.jarMD5: 42dbb03a04cbcf11a64cc84ce6343324SHA1: 3d9cd3e1bc7b92e95f43d45be3bfbcf38e36ab87SHA256: 8ce678e88e4ba018b66dacecf952471e4d7dfee156a8a819760a5a5ff29d323cReferenced In Projects/Scopes:
core:kotlinCompilerClasspath core:kotlinCompilerPluginClasspath Evidence Type Source Name Value Confidence Vendor Manifest kotlin-runtime-component Main Low Vendor file name kotlin-stdlib-common High Vendor gradle groupid org.jetbrains.kotlin Highest Vendor Manifest Implementation-Vendor JetBrains High Product Manifest kotlin-runtime-component Main Low Product Manifest Implementation-Title kotlin-stdlib-common High Product file name kotlin-stdlib-common High Product gradle artifactid kotlin-stdlib-common Highest Version file version 1.3.50 High Version file name kotlin-stdlib-common Medium Version Manifest kotlin-version 1.3 Medium Version gradle version 1.3.50 Highest Version Manifest Implementation-Version 1.3.50-release-112 (1.3.50) High
Published Vulnerabilities CVE-2020-29582 suppress
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. CWE-276 Incorrect Default Permissions
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions:
kotlinx-coroutines-core-1.1.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlinx/kotlinx-coroutines-core/1.1.1/3d2b7321cdef9ebf9cb7729ea4f75a6f6457df86/kotlinx-coroutines-core-1.1.1.jarMD5: 461aa5da3569a08d9e3e9423191d86b8SHA1: 3d2b7321cdef9ebf9cb7729ea4f75a6f6457df86SHA256: ac423f8a0aa4b4e74529696ff82c0171f81a8c8ab182a1965dff25e69c1f7844Referenced In Project/Scope: core:kotlinCompilerPluginClasspath
Evidence Type Source Name Value Confidence Vendor file name kotlinx-coroutines-core High Vendor jar package name coroutines Low Vendor jar package name kotlinx Low Vendor gradle groupid org.jetbrains.kotlinx Highest Product file name kotlinx-coroutines-core High Product jar package name coroutines Low Product gradle artifactid kotlinx-coroutines-core Highest Version file name kotlinx-coroutines-core Medium Version gradle version 1.1.1 Highest Version file version 1.1.1 High
kryo-shaded-3.0.3.jarDescription:
Fast, efficient Java serialization. This is the parent pom that assembles the main kryo and shaded kryo artifacts. License:
New BSD License: http://www.opensource.org/licenses/bsd-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esotericsoftware/kryo-shaded/3.0.3/977d6b42d82de551fcf77dad84ef06c2839e3a74/kryo-shaded-3.0.3.jar
MD5: d31aced491436960a12bded1d8e65658
SHA1: 977d6b42d82de551fcf77dad84ef06c2839e3a74
SHA256: 71727556d387eada4578305fd337b3e046ecf8535f99ed66169ab2a3034418e0
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid kryo-parent Low Vendor gradle groupid com.esotericsoftware Highest Vendor jar package name shaded Highest Vendor pom name Kryo Parent High Vendor pom groupid esotericsoftware Highest Vendor jar package name esotericsoftware Highest Vendor file name kryo-shaded High Vendor Manifest bundle-symbolicname com.esotericsoftware.kryo-shaded Medium Vendor pom url EsotericSoftware/kryo Highest Vendor jar package name kryo Highest Product pom url EsotericSoftware/kryo High Product pom artifactid kryo-parent Highest Product gradle artifactid kryo-shaded Highest Product jar package name shaded Highest Product pom name Kryo Parent High Product Manifest bundle-symbolicname com.esotericsoftware.kryo-shaded Medium Product Manifest Bundle-Name Kryo Shaded Medium Product pom groupid esotericsoftware Highest Product jar package name reflectasm Highest Product jar package name esotericsoftware Highest Product file name kryo-shaded High Product jar package name kryo Highest Version gradle version 3.0.3 Highest Version Manifest Bundle-Version 3.0.3 High Version pom version 3.0.3 Highest Version file version 3.0.3 High
kryo-shaded-3.0.3.jar (shaded: com.esotericsoftware:reflectasm:1.10.1)Description:
High performance Java reflection using code generation License:
New BSD License: http://www.opensource.org/licenses/bsd-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esotericsoftware/kryo-shaded/3.0.3/977d6b42d82de551fcf77dad84ef06c2839e3a74/kryo-shaded-3.0.3.jar/META-INF/maven/com.esotericsoftware/reflectasm/pom.xml
MD5: 465f30eeba109df60a69edbe3ef27ed6
SHA1: f14467654c23c365515cf98bae0b0f56d070fa09
SHA256: c090b6506aefb072f25a85886e0e84786fcc98e982ccb5f5cddcd2e8db666be3
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url EsotericSoftware/reflectasm Highest Vendor pom groupid esotericsoftware Highest Vendor pom artifactid reflectasm Low Vendor pom name ReflectASM High Product pom artifactid reflectasm Highest Product pom groupid esotericsoftware Highest Product pom url EsotericSoftware/reflectasm High Product pom name ReflectASM High Version pom version 1.10.1 Highest
leveldbjni-all-1.8.jarDescription:
An uber jar which contains all the leveldbjni platform libraries and dependencies License:
http://www.opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.leveldbjni/leveldbjni-all/1.8/707350a2eeb1fa2ed77a32ddb3893ed308e941db/leveldbjni-all-1.8.jar
MD5: 6944e9bc03c7938868e53c96726ae914
SHA1: 707350a2eeb1fa2ed77a32ddb3893ed308e941db
SHA256: c297213b0e6f9392305952753f3099a4c02e70b3656266fe01867e7b6c160ffe
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.fusesource.leveldbjni Highest Vendor jar package name leveldbjni Highest Vendor pom parent-groupid org.fusesource.leveldbjni Medium Vendor jar package name all Highest Vendor Manifest bundle-nativecode META-INF/native/windows32/leveldbjni.dll;osname=Win32;processor=x86,META-INF/native/windows64/leveldbjni.dll;osname=Win32;processor=x86-64,META-INF/native/osx/libleveldbjni.jnilib;osname=macosx;processor=x86,META-INF/native/osx/libleveldbjni.jnilib;osname=macosx;processor=x86-64,META-INF/native/linux32/libleveldbjni.so;osname=Linux;processor=x86,META-INF/native/linux64/libleveldbjni.so;osname=Linux;processor=x86-64 Low Vendor file name leveldbjni-all High Vendor pom groupid fusesource.leveldbjni Highest Vendor pom artifactid leveldbjni-all Low Vendor Manifest bundle-docurl http://fusesource.com/ Low Vendor Manifest embed-transitive true Low Vendor Manifest bundle-symbolicname org.fusesource.leveldbjni.leveldbjni-all Medium Vendor jar package name fusesource Highest Vendor pom parent-artifactid leveldbjni-project Low Vendor pom name ${project.artifactId} High Product jar package name leveldb Highest Product jar package name leveldbjni Highest Product pom parent-groupid org.fusesource.leveldbjni Medium Product jar package name all Highest Product Manifest bundle-nativecode META-INF/native/windows32/leveldbjni.dll;osname=Win32;processor=x86,META-INF/native/windows64/leveldbjni.dll;osname=Win32;processor=x86-64,META-INF/native/osx/libleveldbjni.jnilib;osname=macosx;processor=x86,META-INF/native/osx/libleveldbjni.jnilib;osname=macosx;processor=x86-64,META-INF/native/linux32/libleveldbjni.so;osname=Linux;processor=x86,META-INF/native/linux64/libleveldbjni.so;osname=Linux;processor=x86-64 Low Product file name leveldbjni-all High Product pom groupid fusesource.leveldbjni Highest Product Manifest Bundle-Name leveldbjni-all Medium Product Manifest Implementation-Title LevelDB JNI High Product Manifest bundle-docurl http://fusesource.com/ Low Product Manifest embed-transitive true Low Product Manifest bundle-symbolicname org.fusesource.leveldbjni.leveldbjni-all Medium Product jar package name fusesource Highest Product pom parent-artifactid leveldbjni-project Medium Product pom artifactid leveldbjni-all Highest Product pom name ${project.artifactId} High Product gradle artifactid leveldbjni-all Highest Version Manifest Implementation-Version 1.8 High Version file version 1.8 High Version pom version 1.8 Highest Version gradle version 1.8 Highest
leveldbjni-all-1.8.jar: leveldbjni.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.leveldbjni/leveldbjni-all/1.8/707350a2eeb1fa2ed77a32ddb3893ed308e941db/leveldbjni-all-1.8.jar/META-INF/native/windows32/leveldbjni.dllMD5: 551b9310a9ed358359296a89715df2f4SHA1: bba450e93688b872b3fcaa31e8457950e97d8429SHA256: 3cf3f6284f99acad369a15f0b4eca8e0dec2b0342651c519e4665570da8a68eeReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name leveldbjni High Product file name leveldbjni High
leveldbjni-all-1.8.jar: leveldbjni.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.fusesource.leveldbjni/leveldbjni-all/1.8/707350a2eeb1fa2ed77a32ddb3893ed308e941db/leveldbjni-all-1.8.jar/META-INF/native/windows64/leveldbjni.dllMD5: 4b6fa20009ca1eb556e752671461a3f2SHA1: 978ca9c96c03eb220556ce5bc96c715f95a0967cSHA256: 7794f7bbc848d1a9ad98996f2c68a1cf12ac17562f646c6d7f5733404a7b5ef1Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name leveldbjni High Product file name leveldbjni High
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jarDescription:
An empty artifact that Guava depends on to signal that it is providing
ListenableFuture -- but is also available in a second "version" that
contains com.google.common.util.concurrent.ListenableFuture class, without
any other Guava classes. The idea is:
- If users want only ListenableFuture, they depend on listenablefuture-1.0.
- If users want all of Guava, they depend on guava, which, as of Guava
27.0, depends on
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
version number is enough for some build systems (notably, Gradle) to select
that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
conflict with the copy of ListenableFuture in guava itself. If users are
using an older version of Guava or a build system other than Gradle, they
may see class conflicts. If so, they can solve them by manually excluding
the listenablefuture artifact or manually forcing their build systems to
use 9999.0-....
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/b421526c5f297295adef1c886e5246c39d4ac629/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jarMD5: d094c22570d65e132c19cea5d352e381SHA1: b421526c5f297295adef1c886e5246c39d4ac629SHA256: b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99Referenced In Projects/Scopes:
cassandra:compileClasspath piglet:compileClasspath splunk:checkstyle calcite:checkstyle piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath function:checkstyle server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:checkstyle druid:compileClasspath plus:compileClasspath csv:checkstyle linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath core:checkstyle function:default file:compileClasspath core:implementationDependenciesMetadata file:checkstyle kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default geode:checkstyle kafka:compileClasspath druid:runtimeClasspath mongodb:checkstyle elasticsearch:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle mongodb:default cassandra:default innodb:checkstyle cassandra:checkstyle piglet:checkstyle bom:checkstyle babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath spark:checkstyle plus:checkstyle core:default function:compileClasspath pig:checkstyle elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath server:checkstyle csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath release:checkstyle file:default server:default kafka:checkstyle ubenchmark:checkstyle ubenchmark:jmhCompileClasspath example:checkstyle pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid com.google.guava Highest Vendor pom name Guava ListenableFuture only High Vendor pom groupid google.guava Highest Vendor pom artifactid listenablefuture Low Vendor pom parent-groupid com.google.guava Medium Vendor file name listenablefuture High Vendor pom parent-artifactid guava-parent Low Product gradle artifactid listenablefuture Highest Product pom name Guava ListenableFuture only High Product pom artifactid listenablefuture Highest Product pom groupid google.guava Highest Product pom parent-groupid com.google.guava Medium Product file name listenablefuture High Product pom parent-artifactid guava-parent Medium Version pom version 9999.0-empty-to-avoid-conflict-with-guava Highest Version gradle version 9999.0-empty-to-avoid-conflict-with-guava Highest Version pom parent-version 9999.0-empty-to-avoid-conflict-with-guava Low
log4j-1.2.17.jarDescription:
Apache Log4j 1.2 License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
SHA256: 1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9
Referenced In Projects/Scopes: piglet:compileClasspath babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default spark:compileClasspath redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default innodb:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor gradle groupid log4j Highest Vendor jar package name log4j Highest Vendor Manifest bundle-symbolicname log4j Medium Vendor pom organization url http://www.apache.org Medium Vendor pom url http://logging.apache.org/log4j/1.2/ Highest Vendor pom name Apache Log4j High Vendor pom artifactid log4j Low Vendor manifest: org.apache.log4j Implementation-Vendor "Apache Software Foundation" Medium Vendor file name log4j High Vendor Manifest bundle-docurl http://logging.apache.org/log4j/1.2 Low Vendor jar package name apache Highest Vendor pom organization name Apache Software Foundation High Vendor pom groupid log4j Highest Product pom url http://logging.apache.org/log4j/1.2/ Medium Product jar package name log4j Highest Product Manifest bundle-symbolicname log4j Medium Product pom organization url http://www.apache.org Low Product pom organization name Apache Software Foundation Low Product pom name Apache Log4j High Product manifest: org.apache.log4j Implementation-Title log4j Medium Product pom artifactid log4j Highest Product gradle artifactid log4j Highest Product file name log4j High Product Manifest bundle-docurl http://logging.apache.org/log4j/1.2 Low Product Manifest Bundle-Name Apache Log4j Medium Product jar package name apache Highest Product pom groupid log4j Highest Version gradle version 1.2.17 Highest Version Manifest Bundle-Version 1.2.17 High Version pom version 1.2.17 Highest Version manifest: org.apache.log4j Implementation-Version 1.2.17 Medium Version file version 1.2.17 High
Published Vulnerabilities CVE-2019-17571 suppress
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. CWE-502 Deserialization of Untrusted Data
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2020-9488 suppress
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. CWE-295 Improper Certificate Validation
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: LOW (3.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
log4j-api-2.13.3.jarDescription:
The Apache Log4j API License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.13.3/ec1508160b93d274b1add34419b897bae84c6ca9/log4j-api-2.13.3.jar
MD5: 236b9969df6b394e88283a9f813b9b95
SHA1: ec1508160b93d274b1add34419b897bae84c6ca9
SHA256: 2b4b1965c9dce7f3732a0fbf5c8493199c1e6bf8cf65c3e235b57d98da5f36af
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name org Highest Vendor jar package name logging Highest Vendor Manifest log4jreleasemanager Ralph Goers Low Vendor jar package name log4j Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom name Apache Log4j API High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest implementation-url https://logging.apache.org/log4j/2.x/log4j-api/ Low Vendor pom parent-groupid org.apache.logging.log4j Medium Vendor file name log4j-api High Vendor pom groupid apache.logging.log4j Highest Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor pom parent-artifactid log4j Low Vendor Manifest bundle-symbolicname org.apache.logging.log4j.api Medium Vendor pom artifactid log4j-api Low Vendor Manifest log4jreleasekey B3D8E1BA Low Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor gradle groupid org.apache.logging.log4j Highest Vendor Manifest multi-release true Low Vendor Manifest Implementation-Vendor-Id org.apache.logging.log4j Medium Product jar package name org Highest Product Manifest specification-title Apache Log4j API Medium Product jar package name logging Highest Product Manifest log4jreleasemanager Ralph Goers Low Product Manifest Implementation-Title Apache Log4j API High Product jar package name log4j Highest Product pom parent-artifactid log4j Medium Product pom name Apache Log4j API High Product Manifest implementation-url https://logging.apache.org/log4j/2.x/log4j-api/ Low Product pom parent-groupid org.apache.logging.log4j Medium Product pom artifactid log4j-api Highest Product file name log4j-api High Product gradle artifactid log4j-api Highest Product pom groupid apache.logging.log4j Highest Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest bundle-symbolicname org.apache.logging.log4j.api Medium Product Manifest log4jreleasekey B3D8E1BA Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product Manifest multi-release true Low Product Manifest Bundle-Name Apache Log4j API Medium Version pom version 2.13.3 Highest Version Manifest log4jreleaseversion 2.13.3 Medium Version file version 2.13.3 High Version gradle version 2.13.3 Highest Version Manifest Implementation-Version 2.13.3 High Version Manifest Bundle-Version 2.13.3 High
lombok-1.18.10.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.projectlombok/lombok/1.18.10/625fc0055674dff70dbc76efa36d0f2c89b04a24/lombok-1.18.10.jarMD5: a549b7cd139ccef0fe19d8e7cb5953cdSHA1: 625fc0055674dff70dbc76efa36d0f2c89b04a24SHA256: 2836e954823bfcbad45e78c18896e3d01058e6f643749810c608b7005ee7b2faReferenced In Projects/Scopes:
innodb:compileClasspath innodb:runtimeClasspath calcite:sqllineClasspath innodb:default Evidence Type Source Name Value Confidence Vendor gradle groupid org.projectlombok Highest Vendor jar package name lombok Low Vendor file name lombok High Vendor Manifest can-redefine-classes true Low Product file name lombok High Product gradle artifactid lombok Highest Product Manifest can-redefine-classes true Low Version gradle version 1.18.10 Highest Version file name lombok Medium Version file version 1.18.10 High Version Manifest lombok-version 1.18.10 Medium
lz4-1.3.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.jpountz.lz4/lz4/1.3.0/c708bb2590c0652a642236ef45d9f99ff842a2ce/lz4-1.3.0.jarMD5: 13deb68e0fb236a9f9e07dccaa4dfabdSHA1: c708bb2590c0652a642236ef45d9f99ff842a2ceSHA256: b877a4d4a3a0140486d3d0f83d9058e7c0ff6ca80b00d2f7b77145935b385b56Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name lz4 High Vendor jar package name lz4 Highest Vendor Manifest originally-created-by 1.7.0_55-b13 (Oracle Corporation) Low Vendor Manifest bundle-symbolicname lz4-java Medium Vendor jar package name net Low Vendor jar package name jpountz Low Vendor gradle groupid net.jpountz.lz4 Highest Product file name lz4 High Product jar package name lz4 Highest Product Manifest originally-created-by 1.7.0_55-b13 (Oracle Corporation) Low Product Manifest bundle-symbolicname lz4-java Medium Product Manifest Bundle-Name LZ4 Java Compression Medium Product jar package name jpountz Low Product gradle artifactid lz4 Highest Version file version 1.3.0 High Version file name lz4 Medium Version gradle version 1.3.0 Highest Version Manifest Bundle-Version 1.3.0 High
lz4-java-1.5.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.lz4/lz4-java/1.5.0/d36fb639f06aaa4f17307625f80e2e32f815672a/lz4-java-1.5.0.jarMD5: d4b3c2a4224642a562296d919fba747aSHA1: d36fb639f06aaa4f17307625f80e2e32f815672aSHA256: 88a92c42e32f921a7cb37cd3ad30817c1e07c95fc7d52b53cd9e212bfe3b358fReferenced In Projects/Scopes:
kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor jar package name lz4 Highest Vendor Manifest originally-created-by 1.7.0_95-b00 (Oracle Corporation) Low Vendor Manifest bundle-symbolicname lz4-java Medium Vendor jar package name net Low Vendor jar package name lz4 Low Vendor jar package name jpountz Low Vendor gradle groupid org.lz4 Highest Vendor file name lz4-java High Product Manifest Bundle-Name lz4-java Medium Product jar package name lz4 Highest Product Manifest originally-created-by 1.7.0_95-b00 (Oracle Corporation) Low Product gradle artifactid lz4-java Highest Product Manifest bundle-symbolicname lz4-java Medium Product jar package name lz4 Low Product jar package name jpountz Low Product file name lz4-java High Version gradle version 1.5.0 Highest Version file name lz4-java Medium Version Manifest Bundle-Version 0 High Version file version 1.5.0 High
mail-1.4.7.jarDescription:
JavaMail API (compat) License:
http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.mail/mail/1.4.7/9add058589d5d85adeb625859bf2c5eeaaedf12d/mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
SHA256: 78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id com.sun Medium Vendor pom parent-groupid com.sun.mail Medium Vendor jar package name mail Highest Vendor Manifest bundle-docurl http://www.oracle.com Low Vendor jar package name sun Highest Vendor Manifest Implementation-Vendor Oracle High Vendor Manifest (hint) specification-vendor sun Low Vendor pom parent-artifactid all Low Vendor gradle groupid javax.mail Highest Vendor pom name JavaMail API (compat) High Vendor file name mail High Vendor Manifest extension-name javax.mail Medium Vendor Manifest specification-vendor Oracle Low Vendor pom groupid javax.mail Highest Vendor Manifest originally-created-by 1.7.0_15 (Oracle Corporation) Low Vendor pom artifactid mail Low Vendor jar package name javax Highest Vendor Manifest bundle-symbolicname javax.mail Medium Vendor Manifest probe-provider-xml-file-names META-INF/gfprobe-provider.xml Medium Vendor jar package name provider Highest Vendor jar (hint) package name oracle Highest Vendor Manifest (hint) Implementation-Vendor sun High Product pom parent-groupid com.sun.mail Medium Product jar package name mail Highest Product Manifest bundle-docurl http://www.oracle.com Low Product jar package name sun Highest Product pom artifactid mail Highest Product Manifest specification-title JavaMail(TM) API Design Specification Medium Product pom name JavaMail API (compat) High Product file name mail High Product Manifest extension-name javax.mail Medium Product pom groupid javax.mail Highest Product Manifest Bundle-Name JavaMail API (compat) Medium Product Manifest originally-created-by 1.7.0_15 (Oracle Corporation) Low Product jar package name javax Highest Product Manifest bundle-symbolicname javax.mail Medium Product Manifest probe-provider-xml-file-names META-INF/gfprobe-provider.xml Medium Product gradle artifactid mail Highest Product jar package name provider Highest Product Manifest Implementation-Title javax.mail High Product pom parent-artifactid all Medium Version gradle version 1.4.7 Highest Version file version 1.4.7 High Version pom version 1.4.7 Highest Version Manifest Bundle-Version 1.4.7 High Version Manifest Implementation-Version 1.4.7 High
memory-0.9.0.jarDescription:
Memory contains interfaces and classes to allocate and access off-heap memory File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.yahoo.datasketches/memory/0.9.0/10a7f4c09076d5c5d5d7a3f0546b71764ec5704/memory-0.9.0.jarMD5: 57e843b3603c435fd3ea482388da5bcfSHA1: 010a7f4c09076d5c5d5d7a3f0546b71764ec5704SHA256: c7d22ca0298753de7a5c85edc9b926892936e978595fe44375159b8ada15fdfcReferenced In Projects/Scopes:
babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor jar package name memory Highest Vendor jar package name memory Low Vendor pom name ${project.parent.groupId}:${project.artifactId} High Vendor jar package name yahoo Low Vendor pom groupid yahoo.datasketches Highest Vendor pom parent-groupid com.yahoo.datasketches Medium Vendor pom artifactid memory Low Vendor gradle groupid com.yahoo.datasketches Highest Vendor file name memory High Vendor jar package name yahoo Highest Vendor pom parent-artifactid sketches Low Product jar package name memory Highest Product pom artifactid memory Highest Product jar package name memory Low Product gradle artifactid memory Highest Product pom name ${project.parent.groupId}:${project.artifactId} High Product pom groupid yahoo.datasketches Highest Product pom parent-groupid com.yahoo.datasketches Medium Product pom parent-artifactid sketches Medium Product file name memory High Product jar package name yahoo Highest Version file version 0.9.0 High Version pom version 0.9.0 Highest Version gradle version 0.9.0 Highest
metrics-core-3.1.2.jarDescription:
Metrics is a Java library which gives you unparalleled insight into what your code does in
production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
components in your production environment.
License:
http://www.apache.org/licenses/LICENSE-2.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-core/3.1.2/224f03afd2521c6c94632f566beb1bb5ee32cf07/metrics-core-3.1.2.jar
MD5: b8b2de75247322a0c037420f5708e592
SHA1: 224f03afd2521c6c94632f566beb1bb5ee32cf07
SHA256: 245ba2a66a9bc710ce4db14711126e77bcb4e6d96ef7e622659280f3c90cbb5c
Referenced In Projects/Scopes: spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id io.dropwizard.metrics Medium Vendor pom artifactid metrics-core Low Vendor Manifest bundle-symbolicname io.dropwizard.metrics.core Medium Vendor gradle groupid io.dropwizard.metrics Highest Vendor file name metrics-core High Vendor pom parent-artifactid metrics-parent Low Vendor pom name Metrics Core High Vendor jar package name metrics Highest Vendor pom groupid io.dropwizard.metrics Highest Product Manifest bundle-symbolicname io.dropwizard.metrics.core Medium Product pom artifactid metrics-core Highest Product Manifest Implementation-Title Metrics Core High Product file name metrics-core High Product gradle artifactid metrics-core Highest Product pom name Metrics Core High Product pom parent-artifactid metrics-parent Medium Product jar package name metrics Highest Product Manifest Bundle-Name Metrics Core Medium Product pom groupid io.dropwizard.metrics Highest Version file version 3.1.2 High Version Manifest Implementation-Version 3.1.2 High Version gradle version 3.1.2 Highest Version Manifest Bundle-Version 3.1.2 High Version pom version 3.1.2 Highest
metrics-core-3.2.2.jarDescription:
Metrics is a Java library which gives you unparalleled insight into what your code does in
production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
components in your production environment.
License:
http://www.apache.org/licenses/LICENSE-2.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-core/3.2.2/cd9886f498ee2ab2d994f0c779e5553b2c450416/metrics-core-3.2.2.jar
MD5: da529999d5083e800829eaab432a8a54
SHA1: cd9886f498ee2ab2d994f0c779e5553b2c450416
SHA256: 5c6f685e41664d10c70c65837cba9e58d39ff3896811e3b5707a934b11c85ad0
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id io.dropwizard.metrics Medium Vendor pom artifactid metrics-core Low Vendor Manifest bundle-symbolicname io.dropwizard.metrics.core Medium Vendor gradle groupid io.dropwizard.metrics Highest Vendor file name metrics-core High Vendor pom parent-artifactid metrics-parent Low Vendor pom name Metrics Core High Vendor jar package name metrics Highest Vendor pom groupid io.dropwizard.metrics Highest Product Manifest bundle-symbolicname io.dropwizard.metrics.core Medium Product pom artifactid metrics-core Highest Product Manifest Implementation-Title Metrics Core High Product file name metrics-core High Product gradle artifactid metrics-core Highest Product pom name Metrics Core High Product pom parent-artifactid metrics-parent Medium Product jar package name metrics Highest Product Manifest Bundle-Name Metrics Core Medium Product pom groupid io.dropwizard.metrics Highest Version pom version 3.2.2 Highest Version file version 3.2.2 High Version gradle version 3.2.2 Highest Version Manifest Implementation-Version 3.2.2 High Version Manifest Bundle-Version 3.2.2 High
metrics-graphite-3.1.2.jarDescription:
A reporter for Metrics which announces measurements to a Graphite server.
License:
http://www.apache.org/licenses/LICENSE-2.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-graphite/3.1.2/15a68399652c6123fe6e4c82ac4f0749e2eb6583/metrics-graphite-3.1.2.jar
MD5: 90905e4fae6cff5cdf6faa8c8e218cc5
SHA1: 15a68399652c6123fe6e4c82ac4f0749e2eb6583
SHA256: b08f4fd5907c7fa5b4dacc047ce4c7bc9a2a18c3860e2b8e8b84a0149ef326e1
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id io.dropwizard.metrics Medium Vendor pom artifactid metrics-graphite Low Vendor pom name Graphite Integration for Metrics High Vendor gradle groupid io.dropwizard.metrics Highest Vendor jar package name graphite Highest Vendor file name metrics-graphite High Vendor pom parent-artifactid metrics-parent Low Vendor Manifest bundle-symbolicname io.dropwizard.metrics.graphite Medium Vendor jar package name metrics Highest Vendor pom groupid io.dropwizard.metrics Highest Product pom name Graphite Integration for Metrics High Product Manifest Implementation-Title Graphite Integration for Metrics High Product pom artifactid metrics-graphite Highest Product gradle artifactid metrics-graphite Highest Product jar package name graphite Highest Product Manifest Bundle-Name Graphite Integration for Metrics Medium Product file name metrics-graphite High Product Manifest bundle-symbolicname io.dropwizard.metrics.graphite Medium Product pom parent-artifactid metrics-parent Medium Product jar package name metrics Highest Product pom groupid io.dropwizard.metrics Highest Version file version 3.1.2 High Version Manifest Implementation-Version 3.1.2 High Version gradle version 3.1.2 Highest Version Manifest Bundle-Version 3.1.2 High Version pom version 3.1.2 Highest
metrics-json-3.1.2.jarDescription:
A set of Jackson modules which provide serializers for most Metrics classes.
License:
http://www.apache.org/licenses/LICENSE-2.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-json/3.1.2/88d9e57e1ef6431109d4030c717cf5f927900fd9/metrics-json-3.1.2.jar
MD5: 50f9bb226e088a95dd7eaa848bd3c656
SHA1: 88d9e57e1ef6431109d4030c717cf5f927900fd9
SHA256: fcedfa0040e4412ac4395049a52c5ebe4ca7d6a55e99207f3f508ec22108cb9d
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id io.dropwizard.metrics Medium Vendor pom artifactid metrics-json Low Vendor Manifest bundle-symbolicname io.dropwizard.metrics.json Medium Vendor pom name Jackson Integration for Metrics High Vendor gradle groupid io.dropwizard.metrics Highest Vendor file name metrics-json High Vendor pom parent-artifactid metrics-parent Low Vendor jar package name json Highest Vendor jar package name metrics Highest Vendor pom groupid io.dropwizard.metrics Highest Product Manifest Implementation-Title Jackson Integration for Metrics High Product Manifest bundle-symbolicname io.dropwizard.metrics.json Medium Product pom name Jackson Integration for Metrics High Product file name metrics-json High Product Manifest Bundle-Name Jackson Integration for Metrics Medium Product jar package name json Highest Product pom artifactid metrics-json Highest Product pom parent-artifactid metrics-parent Medium Product jar package name metrics Highest Product gradle artifactid metrics-json Highest Product pom groupid io.dropwizard.metrics Highest Version file version 3.1.2 High Version Manifest Implementation-Version 3.1.2 High Version gradle version 3.1.2 Highest Version Manifest Bundle-Version 3.1.2 High Version pom version 3.1.2 Highest
metrics-jvm-3.1.2.jarDescription:
A set of classes which allow you to monitor critical aspects of your Java Virtual Machine
using Metrics.
License:
http://www.apache.org/licenses/LICENSE-2.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.dropwizard.metrics/metrics-jvm/3.1.2/ed364e77218e50fdcdebce4d982cb4d1f4a8c187/metrics-jvm-3.1.2.jar
MD5: 0d18317a48fc7d4c33cfb31b9d537eab
SHA1: ed364e77218e50fdcdebce4d982cb4d1f4a8c187
SHA256: 0350dd123d20a1090858a44ef2809cccfb6d49fcf31bc636a1b4aa5cf3e7a50d
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id io.dropwizard.metrics Medium Vendor Manifest bundle-symbolicname io.dropwizard.metrics.jvm Medium Vendor jar package name jvm Highest Vendor gradle groupid io.dropwizard.metrics Highest Vendor file name metrics-jvm High Vendor pom parent-artifactid metrics-parent Low Vendor pom name JVM Integration for Metrics High Vendor pom artifactid metrics-jvm Low Vendor jar package name metrics Highest Vendor pom groupid io.dropwizard.metrics Highest Product Manifest Bundle-Name JVM Integration for Metrics Medium Product Manifest bundle-symbolicname io.dropwizard.metrics.jvm Medium Product jar package name jvm Highest Product Manifest Implementation-Title JVM Integration for Metrics High Product pom artifactid metrics-jvm Highest Product file name metrics-jvm High Product gradle artifactid metrics-jvm Highest Product pom name JVM Integration for Metrics High Product pom parent-artifactid metrics-parent Medium Product jar package name metrics Highest Product pom groupid io.dropwizard.metrics Highest Version file version 3.1.2 High Version Manifest Implementation-Version 3.1.2 High Version gradle version 3.1.2 Highest Version Manifest Bundle-Version 3.1.2 High Version pom version 3.1.2 Highest
micrometer-core-1.2.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.micrometer/micrometer-core/1.2.0/e085f337633b807020596b37dc9c9ccd3ee1a1f/micrometer-core-1.2.0.jarMD5: 2d61ce6aa26bfe578bfbdc5c9fecfe78SHA1: 0e085f337633b807020596b37dc9c9ccd3ee1a1fSHA256: 9aacd657e0904f0b9c2f5bccbc92456b73debd2106cf0232b33f86dea57ab1c7Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest module-email jschneider@pivotal.io Low Vendor jar package name io Low Vendor Manifest build-job LOCAL Low Vendor Manifest build-host dfacc99b3d64 Low Vendor Manifest branch e8f84afbcf819ec1edfe1fed99965f44948c0ce1 Low Vendor Manifest build-date 2019-06-29_20:19:42 Low Vendor Manifest built-os Linux Low Vendor gradle groupid io.micrometer Highest Vendor Manifest change e8f84af Low Vendor Manifest module-source /micrometer-core Low Vendor jar package name micrometer Low Vendor Manifest module-owner jschneider@pivotal.io Low Vendor Manifest module-origin micrometer-metrics/micrometer.git Low Vendor jar package name core Low Vendor file name micrometer-core High Vendor Manifest build-number LOCAL Low Vendor Manifest built-status integration Low Product Manifest module-email jschneider@pivotal.io Low Product Manifest build-job LOCAL Low Product Manifest Implementation-Title io.micrometer#micrometer-core;1.2.0 High Product Manifest build-host dfacc99b3d64 Low Product gradle artifactid micrometer-core Highest Product jar package name micrometer Highest Product Manifest branch e8f84afbcf819ec1edfe1fed99965f44948c0ce1 Low Product jar package name core Highest Product jar package name instrument Low Product Manifest build-date 2019-06-29_20:19:42 Low Product Manifest built-os Linux Low Product Manifest change e8f84af Low Product Manifest module-source /micrometer-core Low Product jar package name micrometer Low Product jar package name io Highest Product Manifest module-owner jschneider@pivotal.io Low Product Manifest module-origin micrometer-metrics/micrometer.git Low Product jar package name core Low Product file name micrometer-core High Product Manifest build-number LOCAL Low Product Manifest built-status integration Low Version Manifest Implementation-Version 1.2.0 High Version file version 1.2.0 High
micrometer-core-1.2.0.jar (shaded: org.pcollections:pcollections:3.0.3)Description:
A Persistent Java Collections Library License:
The MIT License: https://opensource.org/licenses/mit-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.micrometer/micrometer-core/1.2.0/e085f337633b807020596b37dc9c9ccd3ee1a1f/micrometer-core-1.2.0.jar/META-INF/maven/org.pcollections/pcollections/pom.xml
MD5: 35ba5e5a8572be83189294f2607ee97b
SHA1: 312cf913d2d027395cf9cb15a46af2e763e876c6
SHA256: dbd55a6571ebc17f31e4ba012d35aae6d6384d35287e12cb69a02a5597547a42
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url https://pcollections.org Highest Vendor pom groupid pcollections Highest Vendor pom artifactid pcollections Low Vendor pom name PCollections High Product pom groupid pcollections Highest Product pom artifactid pcollections Highest Product pom url https://pcollections.org Medium Product pom name PCollections High Version pom version 3.0.3 Highest
minlog-1.3.0.jarDescription:
Minimal overhead Java logging License:
New BSD License: http://www.opensource.org/licenses/bsd-license.php File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.esotericsoftware/minlog/1.3.0/ff07b5f1b01d2f92bb00a337f9a94873712f0827/minlog-1.3.0.jar
MD5: 5ab0ee168b90e0ad7010b159e603d304
SHA1: ff07b5f1b01d2f92bb00a337f9a94873712f0827
SHA256: f7b399d3a5478a4f3e0d98bd1c9f47766119c66414bc33aa0f6cde0066f24cc2
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname com.esotericsoftware.minlog Medium Vendor pom url EsotericSoftware/minlog Highest Vendor gradle groupid com.esotericsoftware Highest Vendor file name minlog High Vendor jar package name minlog Highest Vendor pom artifactid minlog Low Vendor pom name MinLog High Vendor pom groupid esotericsoftware Highest Vendor jar package name esotericsoftware Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor Manifest Implementation-Vendor-Id com.esotericsoftware Medium Product Manifest Implementation-Title MinLog High Product gradle artifactid minlog Highest Product file name minlog High Product pom artifactid minlog Highest Product Manifest specification-title MinLog Medium Product Manifest bundle-symbolicname com.esotericsoftware.minlog Medium Product pom url EsotericSoftware/minlog High Product jar package name minlog Highest Product pom name MinLog High Product Manifest Bundle-Name MinLog Medium Product pom groupid esotericsoftware Highest Product jar package name esotericsoftware Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Version file version 1.3.0 High Version Manifest Implementation-Version 1.3.0 High Version gradle version 1.3.0 Highest Version Manifest Bundle-Version 1.3.0 High Version pom version 1.3.0 Highest
mongo-java-driver-3.10.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mongodb/mongo-java-driver/3.10.2/ebd0adedee91359b5dec9c6768e8489f6ad472f2/mongo-java-driver-3.10.2.jarMD5: 001e135416f6605546a20f8984769256SHA1: ebd0adedee91359b5dec9c6768e8489f6ad472f2SHA256: bfeba21e18c3b63e62f3a99cf6787a5e3c0a7453a08e3dde5285e0daa2d6bacaReferenced In Projects/Scopes:
calcite:sqllineClasspath mongodb:compileClasspath mongodb:default mongodb:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-symbolicname org.mongodb.mongo-java-driver Medium Vendor file name mongo-java-driver High Vendor jar package name mongodb Highest Vendor gradle groupid org.mongodb Highest Vendor jar package name mongodb Low Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-symbolicname org.mongodb.mongo-java-driver Medium Product file name mongo-java-driver High Product jar package name mongodb Highest Product Manifest Bundle-Name mongo-java-driver Medium Product gradle artifactid mongo-java-driver Highest Product jar package name mongo Highest Version file version 3.10.2 High Version file name mongo-java-driver Medium Version gradle version 3.10.2 Highest Version Manifest Bundle-Version 3.10.2 High Version Manifest build-version 3.10.2 Medium
mx4j-3.0.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/mx4j/mx4j/3.0.2/47bf147f11b4a026263e1c96a1ea0e029f9e5ab6/mx4j-3.0.2.jarMD5: 7a242daa907034067c195a4836ed9f16SHA1: 47bf147f11b4a026263e1c96a1ea0e029f9e5ab6SHA256: e7e3713e1455dbba454331c9d69567923911bd8fc89e4b5997b6d884b0f58b5cReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest mx4j-release 3.0.2 Low Vendor gradle groupid mx4j Highest Vendor jar package name management Low Vendor Manifest mx4j-release-date Friday 13 October 2006 01:11 CEST Low Vendor file name mx4j High Vendor jar package name javax Low Product Manifest mx4j-release 3.0.2 Low Product jar package name management Low Product Manifest mx4j-release-date Friday 13 October 2006 01:11 CEST Low Product file name mx4j High Product gradle artifactid mx4j Highest Version gradle version 3.0.2 Highest Version Manifest mx4j-release 3.0.2 Low Version file name mx4j Medium Version Manifest mx4j-release-date 2006 Low Version Manifest mx4j-release-date 13 Low Version file version 3.0.2 High
natty-0.13.jarDescription:
natural language date parser License:
MIT License: LICENSE File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.joestelmach/natty/0.13/5a8bd7504927a9aeaf7bf998a346e56292b6fb2a/natty-0.13.jar
MD5: d5e0b77adc39acb4f9f1c01c08c324c7
SHA1: 5a8bd7504927a9aeaf7bf998a346e56292b6fb2a
SHA256: e9b0512e3dc7b7fa845d34041b58b3e34fdfca20852c2d25fb84ad7566c5815c
Referenced In Projects/Scopes: file:compileClasspath file:runtimeClasspath calcite:sqllineClasspath csv:runtimeClasspath file:default csv:default Evidence Type Source Name Value Confidence Vendor pom name Natty Date Parser High Vendor gradle groupid com.joestelmach Highest Vendor jar package name joestelmach Highest Vendor pom artifactid natty Low Vendor jar package name parser Highest Vendor jar package name natty Low Vendor pom url http://natty.joestelmach.com Highest Vendor jar package name joestelmach Low Vendor pom groupid joestelmach Highest Vendor jar package name natty Highest Vendor jar package name generated Low Vendor file name natty High Product pom groupid joestelmach Highest Product pom name Natty Date Parser High Product jar package name joestelmach Highest Product jar package name parser Highest Product jar package name natty Low Product pom artifactid natty Highest Product gradle artifactid natty Highest Product jar package name natty Highest Product jar package name generated Low Product pom url http://natty.joestelmach.com Medium Product file name natty High Version pom version 0.13 Highest Version gradle version 0.13 Highest Version file version 0.13 High
netty-3.7.0.Final.jarDescription:
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty/3.7.0.Final/7a8c35599c68c0bf383df74469aa3e03d9aca87/netty-3.7.0.Final.jar
MD5: c9ef3b2f37d581e500a9d6c1efc4ab69
SHA1: 07a8c35599c68c0bf383df74469aa3e03d9aca87
SHA256: aa44be64442b9cbc5edd521476b9f1c272eec6a53dca104cf3032f42ad20ff89
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath piglet:default Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor pom url http://netty.io/ Highest Vendor jar package name netty Highest Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest bundle-symbolicname org.jboss.netty Medium Vendor Manifest bundle-buddypolicy registered Low Vendor gradle groupid io.netty Highest Vendor Manifest eclipse-buddypolicy registered Low Vendor jar package name jboss Highest Vendor pom organization url http://netty.io/ Medium Vendor pom name The Netty Project High Vendor pom organization name The Netty Project High Vendor pom artifactid netty Low Vendor file name netty High Product pom groupid io.netty Highest Product pom url http://netty.io/ Medium Product Manifest Bundle-Name The Netty Project Medium Product jar package name netty Highest Product Manifest bundle-docurl http://netty.io/ Low Product jar package name socket Highest Product pom artifactid netty Highest Product pom organization name The Netty Project Low Product Manifest bundle-symbolicname org.jboss.netty Medium Product pom organization url http://netty.io/ Low Product Manifest bundle-buddypolicy registered Low Product gradle artifactid netty Highest Product Manifest eclipse-buddypolicy registered Low Product jar package name jboss Highest Product pom name The Netty Project High Product file name netty High Version gradle version 3.7.0.Final Highest Version Manifest Bundle-Version 3.7.0.Final High Version pom version 3.7.0.Final Highest
Published Vulnerabilities CVE-2014-0193 suppress
WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames. CWE-399 Resource Management Errors
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2014-3488 suppress
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2015-2156 suppress
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty OSSINDEX - [CVE-2019-16869] Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers... REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 OSSINDEX - [CVE-2019-20444] HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a... REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 OSSINDEX - [CVE-2019-20445] HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to ... REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
POODLE vulnerability in SSLv3.0 support (OSSINDEX) suppress
The SSLv3 support is vulnerable to a POODLE attack. SSLv3 should be disabled pending implementation of TLS_FALLBACK_SCSV by Oracle. Unscored:
References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:io.netty:netty:3.7.0.Final:*:*:*:*:*:*:* netty-3.9.9.Final.jarDescription:
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty/3.9.9.Final/58e0a7e7ff773f84d02d4f006ae9dd31ad22a0b1/netty-3.9.9.Final.jar
MD5: cff043f83e1e74a25819082405057517
SHA1: 58e0a7e7ff773f84d02d4f006ae9dd31ad22a0b1
SHA256: 697af248e216c9e158b3c9d6702f54541188fc92de19ac9d2f5496f80bce7aba
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor pom url http://netty.io/ Highest Vendor jar package name netty Highest Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest bundle-symbolicname org.jboss.netty Medium Vendor Manifest bundle-buddypolicy registered Low Vendor pom name Netty High Vendor gradle groupid io.netty Highest Vendor Manifest eclipse-buddypolicy registered Low Vendor jar package name jboss Highest Vendor pom organization url http://netty.io/ Medium Vendor pom organization name The Netty Project High Vendor pom artifactid netty Low Vendor file name netty High Product pom groupid io.netty Highest Product pom url http://netty.io/ Medium Product jar package name netty Highest Product Manifest bundle-docurl http://netty.io/ Low Product Manifest Bundle-Name Netty Medium Product jar package name socket Highest Product pom artifactid netty Highest Product pom organization name The Netty Project Low Product Manifest bundle-symbolicname org.jboss.netty Medium Product pom organization url http://netty.io/ Low Product Manifest bundle-buddypolicy registered Low Product pom name Netty High Product gradle artifactid netty Highest Product Manifest eclipse-buddypolicy registered Low Product jar package name jboss Highest Product file name netty High Version gradle version 3.9.9.Final Highest Version Manifest Bundle-Version 3.9.9.Final High Version pom version 3.9.9.Final Highest
Published Vulnerabilities CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty OSSINDEX - [CVE-2019-16869] Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers... REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 OSSINDEX - [CVE-2019-20444] HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a... REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 OSSINDEX - [CVE-2019-20445] HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to ... REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
netty-all-4.0.43.Final.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.43.Final/9781746a179070e886e1fb4b1971a6bbf02061a4/netty-all-4.0.43.Final.jarMD5: 27eaaaa1996fbbd1195deb7e1b20a71cSHA1: 9781746a179070e886e1fb4b1971a6bbf02061a4SHA256: fe754fb5d8bd2d088fc92fcfa97297f1e8055b43d4fd64b01179a00a978a692dReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor pom name Netty/All-in-One High Vendor jar package name netty Highest Vendor gradle groupid io.netty Highest Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor pom parent-artifactid netty-parent Low Vendor jar package name io Highest Vendor Manifest implementation-url http://netty.io/netty-all/ Low Vendor pom artifactid netty-all Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor file name netty-all High Product pom groupid io.netty Highest Product pom name Netty/All-in-One High Product jar package name netty Highest Product Manifest Implementation-Title Netty/All-in-One High Product pom artifactid netty-all Highest Product gradle artifactid netty-all Highest Product Manifest implementation-url http://netty.io/netty-all/ Low Product jar package name io Highest Product pom parent-artifactid netty-parent Medium Product file name netty-all High Version Manifest Implementation-Version 4.0.43.Final High Version pom version 4.0.43.Final Highest Version gradle version 4.0.43.Final Highest
Published Vulnerabilities CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty OSSINDEX - [CVE-2019-16869] Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers... REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 OSSINDEX - [CVE-2019-20444] HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a... REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 OSSINDEX - [CVE-2019-20445] HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to ... REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
netty-buffer-4.0.56.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-buffer/4.0.56.Final/b39eb8a9e5c99a31773fe7fc93523fd379d7a71/netty-buffer-4.0.56.Final.jar
MD5: b99393d447c142d0df3d9e161d1018f4
SHA1: 0b39eb8a9e5c99a31773fe7fc93523fd379d7a71
SHA256: 055f5ccfd7f9683c5d961fbf4466778d5b91ebf8b1f2ddd2eed539a82352b695
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor jar package name netty Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-docurl http://netty.io/ Low Vendor pom name Netty/Buffer High Vendor Manifest implementation-url http://netty.io/netty-buffer/ Low Vendor pom artifactid netty-buffer Low Vendor file name netty-buffer High Vendor gradle groupid io.netty Highest Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor Manifest bundle-symbolicname io.netty.buffer Medium Vendor pom parent-artifactid netty-parent Low Vendor jar package name io Highest Vendor jar package name buffer Highest Vendor Manifest Implementation-Vendor The Netty Project High Product pom groupid io.netty Highest Product pom artifactid netty-buffer Highest Product Manifest Bundle-Name Netty/Buffer Medium Product jar package name netty Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-docurl http://netty.io/ Low Product pom name Netty/Buffer High Product Manifest implementation-url http://netty.io/netty-buffer/ Low Product pom parent-artifactid netty-parent Medium Product file name netty-buffer High Product Manifest Implementation-Title Netty/Buffer High Product Manifest bundle-symbolicname io.netty.buffer Medium Product jar package name io Highest Product gradle artifactid netty-buffer Highest Product jar package name buffer Highest Version gradle version 4.0.56.Final Highest Version Manifest Bundle-Version 4.0.56.Final High Version pom version 4.0.56.Final Highest Version Manifest Implementation-Version 4.0.56.Final High
Published Vulnerabilities CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
netty-codec-4.0.56.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.0.56.Final/bd9ecf1cf3721bbedfd2fb0c52d4f56803ff270d/netty-codec-4.0.56.Final.jar
MD5: 663d30a9b118bab61dad8824d9f99eda
SHA1: bd9ecf1cf3721bbedfd2fb0c52d4f56803ff270d
SHA256: f5921cb7f0f7a9188241321cbab4e208c75d49f4b97fae46eed01e60ef57800f
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor file name netty-codec High Vendor jar package name netty Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-docurl http://netty.io/ Low Vendor pom name Netty/Codec High Vendor gradle groupid io.netty Highest Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor jar package name codec Highest Vendor Manifest implementation-url http://netty.io/netty-codec/ Low Vendor pom parent-artifactid netty-parent Low Vendor jar package name io Highest Vendor pom artifactid netty-codec Low Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest bundle-symbolicname io.netty.codec Medium Product pom groupid io.netty Highest Product file name netty-codec High Product jar package name netty Highest Product gradle artifactid netty-codec Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-docurl http://netty.io/ Low Product pom parent-artifactid netty-parent Medium Product pom name Netty/Codec High Product pom artifactid netty-codec Highest Product Manifest Bundle-Name Netty/Codec Medium Product jar package name codec Highest Product Manifest implementation-url http://netty.io/netty-codec/ Low Product jar package name io Highest Product Manifest Implementation-Title Netty/Codec High Product Manifest bundle-symbolicname io.netty.codec Medium Version gradle version 4.0.56.Final Highest Version Manifest Bundle-Version 4.0.56.Final High Version pom version 4.0.56.Final Highest Version Manifest Implementation-Version 4.0.56.Final High
Published Vulnerabilities CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
netty-common-4.0.56.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.0.56.Final/b0cd4003e71c5b1b43344bf58050f2133f27bac9/netty-common-4.0.56.Final.jar
MD5: afa9c32ec2a11fe0bc23a82a432c9451
SHA1: b0cd4003e71c5b1b43344bf58050f2133f27bac9
SHA256: 5d50a53f063c6544433951a04099b0eec17ddd5a1c7f5b0c63f38912daef1677
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor jar package name netty Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.common Medium Vendor file name netty-common High Vendor gradle groupid io.netty Highest Vendor pom artifactid netty-common Low Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor pom parent-artifactid netty-parent Low Vendor pom name Netty/Common High Vendor jar package name io Highest Vendor Manifest Implementation-Vendor The Netty Project High Vendor Manifest implementation-url http://netty.io/netty-common/ Low Product pom groupid io.netty Highest Product Manifest Bundle-Name Netty/Common Medium Product pom artifactid netty-common Highest Product jar package name netty Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-docurl http://netty.io/ Low Product Manifest Implementation-Title Netty/Common High Product gradle artifactid netty-common Highest Product Manifest bundle-symbolicname io.netty.common Medium Product file name netty-common High Product pom parent-artifactid netty-parent Medium Product jar package name version Highest Product pom name Netty/Common High Product jar package name io Highest Product Manifest implementation-url http://netty.io/netty-common/ Low Version gradle version 4.0.56.Final Highest Version Manifest Bundle-Version 4.0.56.Final High Version pom version 4.0.56.Final Highest Version Manifest Implementation-Version 4.0.56.Final High
Published Vulnerabilities CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
netty-common-4.0.56.Final.jar (shaded: org.jctools:jctools-core:2.1.1)Description:
Java Concurrency Tools Core Library License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.0.56.Final/b0cd4003e71c5b1b43344bf58050f2133f27bac9/netty-common-4.0.56.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: d532029de01ef1c790266dea91b1ecdc
SHA1: f9571c65e428d21c795a34de2b217419dfc0e2f7
SHA256: db8f1cd5b23d38e3dcf7020d739e1c2f9559489051291d8a07095e62b8d7f750
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom name Java Concurrency Tools Core Library High Vendor pom groupid jctools Highest Vendor pom artifactid jctools-core Low Vendor pom url JCTools Highest Product pom name Java Concurrency Tools Core Library High Product pom url JCTools High Product pom artifactid jctools-core Highest Product pom groupid jctools Highest Version pom version 2.1.1 Highest
netty-handler-4.0.56.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.0.56.Final/bf3ee7d214897d3968c1d29a28ee6d5f964876ae/netty-handler-4.0.56.Final.jar
MD5: 1905d61b3a8a16b53ce49a67771fd48d
SHA1: bf3ee7d214897d3968c1d29a28ee6d5f964876ae
SHA256: b1a634a593bb9d1c3e881817991aa5e5fe34b338295ccc1f464511d0af809c61
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor jar package name netty Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest implementation-url http://netty.io/netty-handler/ Low Vendor jar package name handler Highest Vendor pom name Netty/Handler High Vendor gradle groupid io.netty Highest Vendor Manifest bundle-symbolicname io.netty.handler Medium Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor file name netty-handler High Vendor pom parent-artifactid netty-parent Low Vendor jar package name io Highest Vendor Manifest Implementation-Vendor The Netty Project High Vendor pom artifactid netty-handler Low Product pom groupid io.netty Highest Product jar package name netty Highest Product Manifest Implementation-Title Netty/Handler High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-docurl http://netty.io/ Low Product pom artifactid netty-handler Highest Product Manifest implementation-url http://netty.io/netty-handler/ Low Product gradle artifactid netty-handler Highest Product pom parent-artifactid netty-parent Medium Product jar package name handler Highest Product pom name Netty/Handler High Product Manifest bundle-symbolicname io.netty.handler Medium Product file name netty-handler High Product jar package name io Highest Product Manifest Bundle-Name Netty/Handler Medium Version gradle version 4.0.56.Final Highest Version Manifest Bundle-Version 4.0.56.Final High Version pom version 4.0.56.Final Highest Version Manifest Implementation-Version 4.0.56.Final High
Published Vulnerabilities CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
netty-transport-4.0.56.Final.jarDescription:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients. License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.netty/netty-transport/4.0.56.Final/535223be500f76fd02b271e4c15c8678d10830ab/netty-transport-4.0.56.Final.jar
MD5: 08acfd4dc9a6ea1569dca5ab11824979
SHA1: 535223be500f76fd02b271e4c15c8678d10830ab
SHA256: adec23f7790a138014a15eff4c85939cddec63d49f9ef0810725cb4aa5518199
Referenced In Projects/Scopes: cassandra:compileClasspath calcite:sqllineClasspath cassandra:runtimeClasspath cassandra:default Evidence Type Source Name Value Confidence Vendor pom groupid io.netty Highest Vendor jar package name netty Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor Manifest bundle-docurl http://netty.io/ Low Vendor Manifest bundle-symbolicname io.netty.transport Medium Vendor pom name Netty/Transport High Vendor Manifest implementation-url http://netty.io/netty-transport/ Low Vendor gradle groupid io.netty Highest Vendor pom artifactid netty-transport Low Vendor file name netty-transport High Vendor Manifest Implementation-Vendor-Id io.netty Medium Vendor pom parent-artifactid netty-parent Low Vendor jar package name io Highest Vendor Manifest Implementation-Vendor The Netty Project High Product pom groupid io.netty Highest Product jar package name netty Highest Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest bundle-docurl http://netty.io/ Low Product Manifest Implementation-Title Netty/Transport High Product pom parent-artifactid netty-parent Medium Product Manifest bundle-symbolicname io.netty.transport Medium Product pom name Netty/Transport High Product Manifest implementation-url http://netty.io/netty-transport/ Low Product file name netty-transport High Product jar package name io Highest Product gradle artifactid netty-transport Highest Product Manifest Bundle-Name Netty/Transport Medium Product pom artifactid netty-transport Highest Version gradle version 4.0.56.Final Highest Version Manifest Bundle-Version 4.0.56.Final High Version pom version 4.0.56.Final Highest Version Manifest Implementation-Version 4.0.56.Final High
Published Vulnerabilities CVE-2019-16869 suppress
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
BUGTRAQ - 20200105 [SECURITY] [DSA 4597-1] netty security update DEBIAN - DSA-4597 MISC - https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final MISC - https://github.com/netty/netty/issues/9571 MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15417) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 MLIST - [cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15418) CVE-2019-16869(Netty is vulnerable to HTTP Request Smuggling) of severity 7.5 for Cassendra 2.2.5 MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16699) Security vulnerability CVE-2020-7238 for Netty MLIST - [debian-lts-announce] 20190930 [SECURITY] [DLA 1941-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [olingo-dev] 20191206 [jira] [Assigned] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Created] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Resolved] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191206 [jira] [Updated] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191209 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [olingo-dev] 20191227 [jira] [Commented] (OLINGO-1414) Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] codecov-io commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] coveralls commented on pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [rocketmq-dev] 20201224 [GitHub] [rocketmq] crazywen opened a new pull request #2517: fix CVE-2019-16869, CVE-2018-8020 MLIST - [spark-issues] 20191219 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Created] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191219 [jira] [Updated] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Comment Edited] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Commented] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Issue Comment Deleted] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Reopened] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [spark-issues] 20191220 [jira] [Resolved] (SPARK-30308) Update Netty and Netty-all to address CVE-2019-16869 MLIST - [tinkerpop-commits] 20191022 [tinkerpop] branch tp34 updated: Bump to Netty 4.1.42 fixes CVE-2019-16869 - CTR MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch branch-3.5.6 updated: ZOOKEEPER-3563: Update Netty to fix CVE-2019-16869 MLIST - [zookeeper-commits] 20191003 [zookeeper] branch master updated: ZOOKEEPER-3563: Update Netty to address CVE-2019-16869 MLIST - [zookeeper-dev] 20190930 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-dev] 20191001 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-dev] 20191002 Re: [VOTE] Apache ZooKeeper release 3.5.6 candidate 2 MLIST - [zookeeper-issues] 20190930 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Created] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty-3.10.6.Final.jar: CVE-2019-16869 MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20190930 [jira] [Updated] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - netty with CVE-2019-16869 MLIST - [zookeeper-issues] 20191001 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191003 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Commented] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty MLIST - [zookeeper-issues] 20191008 [jira] [Resolved] (ZOOKEEPER-3563) dependency check failing on 3.4 and 3.5 branches - CVE-2019-16869 on Netty REDHAT - RHSA-2019:3892 REDHAT - RHSA-2019:3901 REDHAT - RHSA-2020:0159 REDHAT - RHSA-2020:0160 REDHAT - RHSA-2020:0161 REDHAT - RHSA-2020:0164 REDHAT - RHSA-2020:0445 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20444 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9866 MISC - https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [camel-commits] 20201120 [camel] branch camel-2.25.x updated: Updating Netty to 4.1.48.Final to fix some CVEs (e.g. CVE-2019-16869, CVE-2019-20444) MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.1 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch branch-3.2 updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-commits] 20200309 [hadoop] branch trunk updated: HADOOP-16871. Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Assigned] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444, MLIST - [hadoop-common-issues] 20200219 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200224 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200225 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200309 [jira] [Updated] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [hadoop-common-issues] 20200310 [jira] [Commented] (HADOOP-16871) Upgrade Netty version to 4.1.45.Final to handle CVE-2019-20444,CVE-2019-16869 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java11 #39 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-branch36-java8 #38 MLIST - [zookeeper-dev] 20200204 Build failed in Jenkins: zookeeper-master-maven-jdk11 #361 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2019-20445 suppress
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (6.4) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N CVSSv3:
Base Score: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References:
DEBIAN - DSA-4885 FEDORA - FEDORA-2020-66b5f85ccc MISC - https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final MISC - https://github.com/netty/netty/issues/9861 MISC - https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E MISC - https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E MLIST - [bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image MLIST - [cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities MLIST - [cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6 MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update MLIST - [debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update MLIST - [debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update MLIST - [druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 MLIST - [flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink MLIST - [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx MLIST - [flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445 MLIST - [flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445 MLIST - [geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12 MLIST - [geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 MLIST - [spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities MLIST - [spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final MLIST - [zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1 MLIST - [zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 MLIST - [zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445 REDHAT - RHSA-2020:0497 REDHAT - RHSA-2020:0567 REDHAT - RHSA-2020:0601 REDHAT - RHSA-2020:0605 REDHAT - RHSA-2020:0606 REDHAT - RHSA-2020:0804 REDHAT - RHSA-2020:0805 REDHAT - RHSA-2020:0806 REDHAT - RHSA-2020:0811 UBUNTU - USN-4532-1 Vulnerable Software & Versions: (show all )
CVE-2021-21290 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21295 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: LOW (2.6) Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2021-21409 suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
objenesis-2.1.jarDescription:
A library for instantiating Java objects License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.objenesis/objenesis/2.1/87c0ea803b69252868d09308b4618f766f135a96/objenesis-2.1.jar
MD5: 32ccb1d20a42b5aaaceb90c9082a2efa
SHA1: 87c0ea803b69252868d09308b4618f766f135a96
SHA256: c74330cc6b806c804fd37e74487b4fe5d7c2750c5e15fbc6efa13bdee1bdef80
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name objenesis High Vendor Manifest Implementation-Vendor Joe Walnes, Henri Tremblay, Leonardo Mesquita High Vendor jar package name objenesis Highest Vendor Manifest Implementation-Vendor-Id org.objenesis Medium Vendor Manifest bundle-symbolicname org.objenesis Medium Vendor jar package name objenesis Low Vendor jar package name instantiator Low Vendor Manifest specification-vendor Joe Walnes, Henri Tremblay, Leonardo Mesquita Low Vendor gradle groupid org.objenesis Highest Product gradle artifactid objenesis Highest Product file name objenesis High Product Manifest Implementation-Title Objenesis High Product jar package name objenesis Highest Product Manifest bundle-symbolicname org.objenesis Medium Product jar package name instantiator Low Product Manifest Bundle-Name Objenesis Medium Product Manifest specification-title Objenesis Medium Version Manifest Implementation-Version 2.1 High Version file version 2.1 High
opencsv-2.3.jarDescription:
A simple library for reading and writing CSV in Java License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.opencsv/opencsv/2.3/c23708cdb9e80a144db433e23344a788a1fd6599/opencsv-2.3.jar
MD5: 9eebabaa007dc329845e5ab3c12b4e6b
SHA1: c23708cdb9e80a144db433e23344a788a1fd6599
SHA256: dc0ba5bff6140dc92339973026a0ecbddc2a3b01bdd46ed9d16becc2f6d78de6
Referenced In Projects/Scopes: file:compileClasspath splunk:runtimeClasspath file:runtimeClasspath calcite:sqllineClasspath splunk:default csv:runtimeClasspath file:default splunk:compileClasspath csv:default Evidence Type Source Name Value Confidence Vendor pom name opencsv High Vendor file name opencsv High Vendor jar package name bytecode Low Vendor pom groupid net.sf.opencsv Highest Vendor pom url http://opencsv.sf.net Highest Vendor gradle groupid net.sf.opencsv Highest Vendor jar package name com Low Vendor pom artifactid opencsv Low Vendor jar package name opencsv Highest Vendor jar package name au Low Product gradle artifactid opencsv Highest Product pom name opencsv High Product file name opencsv High Product jar package name bytecode Low Product pom groupid net.sf.opencsv Highest Product pom artifactid opencsv Highest Product jar package name com Low Product jar package name opencsv Low Product jar package name opencsv Highest Product pom url http://opencsv.sf.net Medium Version gradle version 2.3 Highest Version file version 2.3 High Version pom version 2.3 Highest
oro-2.0.8.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/oro/oro/2.0.8/5592374f834645c4ae250f4c9fbb314c9369d698/oro-2.0.8.jarMD5: 42e940d5d2d822f4dc04c65053e630abSHA1: 5592374f834645c4ae250f4c9fbb314c9369d698SHA256: e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26eReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath spark:default spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid oro Highest Vendor jar package name apache Highest Vendor manifest: org/apache/oro Implementation-Vendor Apache Software Foundation Medium Vendor jar package name apache Low Vendor file name oro High Vendor jar package name oro Low Vendor jar package name text Low Product manifest: org/apache/oro Implementation-Title org.apache.oro Medium Product jar package name apache Highest Product gradle artifactid oro Highest Product manifest: org/apache/oro Specification-Title Jakarta ORO Medium Product jar package name oro Highest Product file name oro High Product jar package name oro Low Product jar package name text Low Version gradle version 2.0.8 Highest Version file version 2.0.8 High Version manifest: org/apache/oro Implementation-Version 2.0.8 2003-12-28 11:00:13 Medium Version file name oro Medium
osgi-resource-locator-1.0.1.jarDescription:
See http://wiki.glassfish.java.net/Wiki.jsp?page=JdkSpiOsgi for more information License:
https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.glassfish.hk2/osgi-resource-locator/1.0.1/4ed2b2d4738aed5786cfa64cba5a332779c4c708/osgi-resource-locator-1.0.1.jar
MD5: 51e70ad8fc9d1e9fb19debeb55555b75
SHA1: 4ed2b2d4738aed5786cfa64cba5a332779c4c708
SHA256: 775003be577e8806f51b6e442be1033d83be2cb2207227b349be0bf16e6c0843
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name osgi-resource-locator High Vendor Manifest bundle-symbolicname org.glassfish.hk2.osgi-resource-locator Medium Vendor Manifest bundle-activationpolicy lazy Low Vendor jar package name glassfish Highest Vendor pom groupid glassfish.hk2 Highest Vendor pom parent-groupid org.glassfish Medium Vendor jar package name hk2 Highest Vendor gradle groupid org.glassfish.hk2 Highest Vendor pom artifactid osgi-resource-locator Low Vendor pom parent-artifactid pom Low Vendor pom name OSGi resource locator bundle - used by various API providers that rely on META-INF/services mechanism to locate providers. High Vendor Manifest bundle-docurl https://glassfish.dev.java.net Low Product gradle artifactid osgi-resource-locator Highest Product file name osgi-resource-locator High Product pom parent-artifactid pom Medium Product Manifest bundle-symbolicname org.glassfish.hk2.osgi-resource-locator Medium Product Manifest bundle-activationpolicy lazy Low Product pom artifactid osgi-resource-locator Highest Product jar package name glassfish Highest Product pom groupid glassfish.hk2 Highest Product pom parent-groupid org.glassfish Medium Product Manifest Bundle-Name OSGi resource locator bundle - used by various API providers that rely on META-INF/services mechanism to locate providers. Medium Product jar package name hk2 Highest Product pom name OSGi resource locator bundle - used by various API providers that rely on META-INF/services mechanism to locate providers. High Product Manifest bundle-docurl https://glassfish.dev.java.net Low Version file version 1.0.1 High Version pom parent-version 1.0.1 Low Version Manifest Bundle-Version 1.0.1 High Version pom version 1.0.1 Highest Version gradle version 1.0.1 Highest
paranamer-2.3.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.thoughtworks.paranamer/paranamer/2.3/4a85963a752c0a2f715c3924bfc686865e7e1bc6/paranamer-2.3.jarMD5: e3060bebfe449abeb277e77c4c3388cbSHA1: 4a85963a752c0a2f715c3924bfc686865e7e1bc6SHA256: e93f50ae4d0de11080677f44ab268691266fed2b3ff7bc6fd97636febae7d8feReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name paranamer Highest Vendor pom name ParaNamer Core High Vendor file name paranamer High Vendor pom artifactid paranamer Low Vendor jar package name thoughtworks Low Vendor pom parent-groupid com.thoughtworks.paranamer Medium Vendor pom parent-artifactid paranamer-parent Low Vendor gradle groupid com.thoughtworks.paranamer Highest Vendor jar package name thoughtworks Highest Vendor pom groupid thoughtworks.paranamer Highest Vendor jar package name paranamer Low Product jar package name paranamer Highest Product pom artifactid paranamer Highest Product pom name ParaNamer Core High Product file name paranamer High Product gradle artifactid paranamer Highest Product pom parent-artifactid paranamer-parent Medium Product pom parent-groupid com.thoughtworks.paranamer Medium Product jar package name thoughtworks Highest Product pom groupid thoughtworks.paranamer Highest Product jar package name paranamer Low Version gradle version 2.3 Highest Version file version 2.3 High Version pom version 2.3 Highest
paranamer-2.8.jarDescription:
Paranamer allows runtime access to constructor and method parameter names for Java classes License:
LICENSE.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.thoughtworks.paranamer/paranamer/2.8/619eba74c19ccf1da8ebec97a2d7f8ba05773dd6/paranamer-2.8.jar
MD5: f213c72b67d4850f17a4a3e9064904de
SHA1: 619eba74c19ccf1da8ebec97a2d7f8ba05773dd6
SHA256: 688cb118a6021d819138e855208c956031688be4b47a24bb615becc63acedf07
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name paranamer Highest Vendor pom name ParaNamer Core High Vendor file name paranamer High Vendor pom artifactid paranamer Low Vendor Manifest bundle-symbolicname com.thoughtworks.paranamer Medium Vendor pom parent-groupid com.thoughtworks.paranamer Medium Vendor pom parent-artifactid paranamer-parent Low Vendor gradle groupid com.thoughtworks.paranamer Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor jar package name thoughtworks Highest Vendor pom groupid thoughtworks.paranamer Highest Product jar package name paranamer Highest Product pom artifactid paranamer Highest Product pom name ParaNamer Core High Product pom parent-artifactid paranamer-parent Medium Product Manifest bundle-symbolicname com.thoughtworks.paranamer Medium Product pom parent-groupid com.thoughtworks.paranamer Medium Product jar package name thoughtworks Highest Product pom groupid thoughtworks.paranamer Highest Product file name paranamer High Product gradle artifactid paranamer Highest Product Manifest Bundle-Name ParaNamer Core Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Version pom version 2.8 Highest Version gradle version 2.8 Highest Version file version 2.8 High
picocli-4.1.4.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/info.picocli/picocli/4.1.4/e9ac7856611815391f85ac66c8ceadacb51250b5/picocli-4.1.4.jarMD5: 28605e00382694eb4944d5edb340cb5bSHA1: e9ac7856611815391f85ac66c8ceadacb51250b5SHA256: 4649b93987327cbd4abb44bd24870ff49e3f8faf2fd5c32c0ade28ec9c213687Referenced In Projects/Scopes:
splunk:checkstyle cassandra:checkstyle piglet:checkstyle calcite:checkstyle bom:checkstyle function:checkstyle spark:checkstyle plus:checkstyle pig:checkstyle druid:checkstyle csv:checkstyle core:checkstyle server:checkstyle file:checkstyle geode:checkstyle mongodb:checkstyle elasticsearch:checkstyle release:checkstyle kafka:checkstyle ubenchmark:checkstyle linq4j:checkstyle redis:checkstyle babel:checkstyle example:checkstyle innodb:checkstyle Evidence Type Source Name Value Confidence Vendor jar package name picocli Highest Vendor jar package name picocli Low Vendor Manifest specification-vendor Remko Popma Low Vendor gradle groupid info.picocli Highest Vendor file name picocli High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Vendor Manifest multi-release true Low Vendor Manifest Implementation-Vendor Remko Popma High Vendor Manifest bundle-symbolicname picocli Medium Product Manifest Bundle-Name picocli Medium Product jar package name picocli Highest Product file name picocli High Product Manifest specification-title picocli Medium Product Manifest Implementation-Title picocli High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))" Low Product Manifest multi-release true Low Product gradle artifactid picocli Highest Product Manifest bundle-symbolicname picocli Medium Version file version 4.1.4 High Version Manifest Implementation-Version 4.1.4 High
pig-0.16.0-h2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.pig/pig/0.16.0/cad5f4e97b6c02c7b4585c9c1ae772184c61b88c/pig-0.16.0-h2.jarMD5: c44f6cd4ec923abd3d14ff86b0312f50SHA1: cad5f4e97b6c02c7b4585c9c1ae772184c61b88cSHA256: a54b59e95e571145646ca9597c6c39e6a188216d25aa2c82980c8588d00ad6c7Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name apache Highest Vendor gradle groupid org.apache.pig Highest Vendor manifest: org/apache/pig Implementation-Vendor Apache Medium Vendor jar package name apache Low Vendor file name pig High Vendor jar package name pig Low Product jar package name pig Highest Product gradle artifactid pig Highest Product file name pig High Product manifest: org/apache/pig Implementation-Title Pig Medium Product jar package name pig Low Version manifest: org/apache/pig Implementation-Version 0.16.0 Medium Version file version 0.16.0.h2 High Version file name pig Medium Version gradle version 0.16.0 Highest
protobuf-java-3.6.1.jarDescription:
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
License:
https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.6.1/d06d46ecfd92ec6d0f3b423b4cd81cb38d8b924/protobuf-java-3.6.1.jar
MD5: 17b60a7d277343a16fe881d18adecc0b
SHA1: 0d06d46ecfd92ec6d0f3b423b4cd81cb38d8b924
SHA256: fb66d913ff0578553b2e28a3338cbbbe2657e6cfe0e98d939f23aea219daf508
Referenced In Projects/Scopes: cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath linq4j:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath innodb:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath redis:compileClasspath redis:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default babel:compileClasspath csv:default innodb:compileClasspath core:compileClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath redis:default geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name google Highest Vendor Manifest bundle-docurl https://developers.google.com/protocol-buffers/ Low Vendor pom parent-artifactid protobuf-parent Low Vendor Manifest bundle-symbolicname com.google.protobuf Medium Vendor pom parent-groupid com.google.protobuf Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor jar package name protobuf Highest Vendor gradle groupid com.google.protobuf Highest Vendor pom artifactid protobuf-java Low Vendor file name protobuf-java High Vendor pom groupid google.protobuf Highest Vendor pom name Protocol Buffers [Core] High Product jar package name google Highest Product Manifest bundle-docurl https://developers.google.com/protocol-buffers/ Low Product Manifest bundle-symbolicname com.google.protobuf Medium Product pom parent-groupid com.google.protobuf Medium Product Manifest Bundle-Name Protocol Buffers [Core] Medium Product pom parent-artifactid protobuf-parent Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product jar package name protobuf Highest Product gradle artifactid protobuf-java Highest Product pom artifactid protobuf-java Highest Product file name protobuf-java High Product pom groupid google.protobuf Highest Product pom name Protocol Buffers [Core] High Version file version 3.6.1 High Version pom version 3.6.1 Highest Version Manifest Bundle-Version 3.6.1 High Version gradle version 3.6.1 Highest
py4j-0.10.7.jarDescription:
Py4J enables Python programs running in a Python interpreter to dynamically access Java objects in a Java Virtual Machine. Methods are called as if the Java objects resided in the Python interpreter and Java collections can be accessed through standard Python collection methods. Py4J also enables Java programs to call back Python objects. License:
The New BSD License: http://www.opensource.org/licenses/bsd-license.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.sf.py4j/py4j/0.10.7/e733e888c2e798ea15802f12a9f3130949ca741f/py4j-0.10.7.jar
MD5: 51552359047812808cde255ef38e78d2
SHA1: e733e888c2e798ea15802f12a9f3130949ca741f
SHA256: 49d1e3e86532a6c68c399fb83508603ebeeb9b942e0cf301db71c7987fd4dfcb
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name py4j High Vendor pom name Py4J High Vendor pom groupid net.sf.py4j Highest Vendor jar package name py4j Highest Vendor pom artifactid py4j Low Vendor gradle groupid net.sf.py4j Highest Vendor jar package name py4j Low Product file name py4j High Product gradle artifactid py4j Highest Product pom name Py4J High Product pom groupid net.sf.py4j Highest Product jar package name py4j Highest Product pom artifactid py4j Highest Version file version 0.10.7 High Version pom version 0.10.7 Highest Version gradle version 0.10.7 Highest
pyrolite-4.13.jarDescription:
This library allows your Java program to interface very easily with the Python world. It uses the Pyro protocol to call methods on remote objects. (See https://github.com/irmen/Pyro4). To that end, it also contains and uses a feature complete pickle protocol implementation -read and write- to exchange data with Pyro/Python.
Pyrolite only implements part of the client side Pyro library, hence its name 'lite'... But because Pyrolite has no dependencies, it is a much lighter way to use Pyro from Java/.NET than a solution with jython+pyro or IronPython+Pyro would provide. So if you don't need Pyro's full feature set, and don't require your Java/.NET code to host Pyro objects itself, Pyrolite may be a good choice to connect java or .NET and python.
Version 4.13 can now register a custom pickler for inheritance tree of interfaces or abstract base class. License:
MIT License: https://raw.githubusercontent.com/irmen/Pyrolite/master/LICENSE File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.razorvine/pyrolite/4.13/b71a4668b0c4194486832fe7ce161eed2d0d12cb/pyrolite-4.13.jar
MD5: b4ab074cb07e995bcbd203c72e5efa1d
SHA1: b71a4668b0c4194486832fe7ce161eed2d0d12cb
SHA256: 4ba424d328cbd7a6ff73108cce40d3cc376eef602b947e57fdc782171d92e463
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name objects Highest Vendor jar package name net Highest Vendor gradle groupid net.razorvine Highest Vendor jar package name pickle Low Vendor pom groupid net.razorvine Highest Vendor jar package name razorvine Highest Vendor jar package name pyro Highest Vendor pom name pyrolite High Vendor file name pyrolite High Vendor jar package name razorvine Low Vendor jar package name net Low Vendor pom url irmen/Pyrolite Highest Vendor pom artifactid pyrolite Low Product jar package name objects Highest Product jar package name net Highest Product pom artifactid pyrolite Highest Product jar package name pickle Low Product pom groupid net.razorvine Highest Product jar package name razorvine Highest Product jar package name pyro Highest Product pom name pyrolite High Product file name pyrolite High Product jar package name razorvine Low Product gradle artifactid pyrolite Highest Product pom url irmen/Pyrolite High Version pom version 4.13 Highest Version gradle version 4.13 Highest Version file version 4.13 High
quidem-0.9.jarDescription:
Idempotent query scripts License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/quidem/0.9/207853540d6a2a8ede539fa570da6ab6ba427dc5/quidem-0.9.jar
MD5: 10525f465a02c3aa4a0536151cb10f15
SHA1: 207853540d6a2a8ede539fa570da6ab6ba427dc5
SHA256: b9cad3f7718cd4b4c513c489d195a35047624062cc07f52a054a2c8830e3f4ba
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Quidem High Vendor pom url http://github.com/julianhyde/quidem Highest Vendor jar package name net Highest Vendor jar package name hydromatic Highest Vendor jar package name quidem Highest Vendor pom organization url http://www.hydromatic.net Medium Vendor gradle groupid net.hydromatic Highest Vendor pom groupid net.hydromatic Highest Vendor pom parent-artifactid parent Low Vendor file name quidem High Vendor jar package name net Low Vendor pom artifactid quidem Low Vendor pom organization name Julian Hyde High Vendor jar package name hydromatic Low Vendor jar package name quidem Low Product pom parent-artifactid parent Medium Product pom name Quidem High Product pom organization name Julian Hyde Low Product jar package name net Highest Product jar package name hydromatic Highest Product jar package name quidem Highest Product pom groupid net.hydromatic Highest Product pom artifactid quidem Highest Product file name quidem High Product gradle artifactid quidem Highest Product jar package name hydromatic Low Product jar package name quidem Low Product pom organization url http://www.hydromatic.net Low Product pom url http://github.com/julianhyde/quidem Medium Version pom version 0.9 Highest Version file version 0.9 High Version gradle version 0.9 Highest Version pom parent-version 0.9 Low
rmiio-2.1.2.jarDescription:
IO related classes for streaming data over RMI License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.healthmarketscience.rmiio/rmiio/2.1.2/1d35887bc716bff6e51d7530bb5abf14fc211e70/rmiio-2.1.2.jar
MD5: 0a91a763604f68cbdcb6acc81a1de4b9
SHA1: 1d35887bc716bff6e51d7530bb5abf14fc211e70
SHA256: 277163857431024c4279683a3df23032c15f3427d1e1b6567cd4d0dd6666e1e9
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name rmiio Highest Vendor Manifest bundle-docurl http://www.healthmarketscience.com Low Vendor file name rmiio High Vendor pom url http://openhms.sourceforge.net/rmiio Highest Vendor pom parent-groupid com.healthmarketscience Medium Vendor pom groupid healthmarketscience.rmiio Highest Vendor jar package name healthmarketscience Highest Vendor gradle groupid com.healthmarketscience.rmiio Highest Vendor pom artifactid rmiio Low Vendor pom parent-artifactid openhms-parent Low Vendor pom name RMI IO Utilites High Vendor Manifest bundle-symbolicname com.healthmarketscience.rmiio Medium Product pom parent-artifactid openhms-parent Medium Product jar package name rmiio Highest Product Manifest bundle-docurl http://www.healthmarketscience.com Low Product gradle artifactid rmiio Highest Product file name rmiio High Product pom parent-groupid com.healthmarketscience Medium Product pom artifactid rmiio Highest Product Manifest Bundle-Name RMI IO Utilites Medium Product pom url http://openhms.sourceforge.net/rmiio Medium Product pom groupid healthmarketscience.rmiio Highest Product jar package name healthmarketscience Highest Product pom name RMI IO Utilites High Product Manifest bundle-symbolicname com.healthmarketscience.rmiio Medium Version gradle version 2.1.2 Highest Version Manifest Bundle-Version 2.1.2 High Version pom version 2.1.2 Highest Version file version 2.1.2 High Version pom parent-version 2.1.2 Low
scala-compiler-2.10.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jarMD5: 292c35cfba775896c36cbb9a045d2138SHA1: 0fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9aSHA256: 31283efbb9f955449a1d28a6fba68f67df75a4da0828cd7605e7c28038365622Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.scala-lang Highest Vendor Manifest bundle-symbolicname org.scala-lang.scala-compiler Medium Vendor jar package name scala Highest Vendor jar package name compiler Highest Vendor jar package name nsc Low Vendor jar package name scala Low Vendor jar package name tools Low Vendor file name scala-compiler High Product Manifest bundle-symbolicname org.scala-lang.scala-compiler Medium Product jar package name scala Highest Product gradle artifactid scala-compiler Highest Product jar package name compiler Highest Product jar package name nsc Low Product jar package name tools Low Product Manifest Bundle-Name Scala Compiler Medium Product file name scala-compiler High Version file name scala-compiler Medium Version Manifest Bundle-Version 2.10.0.v20121205-112020-VFINAL-18481cef9b High Version gradle version 2.10.0 Highest Version file version 2.10.0 High
Published Vulnerabilities CVE-2017-15288 suppress
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges. CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv2:
Base Score: HIGH (7.2) Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - http://scala-lang.org/news/security-update-nov17.html CONFIRM - https://github.com/scala/scala/pull/6108 CONFIRM - https://github.com/scala/scala/pull/6120 CONFIRM - https://github.com/scala/scala/pull/6128 GENTOO - GLSA-201812-08 MLIST - [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20210302 [GitHub] [druid] abhishekagarwal87 opened a new pull request #10933: Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15on MLIST - [druid-commits] 20210302 [GitHub] [druid] maytasm merged pull request #10933: Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15on MLIST - [kafka-dev] 20210211 [jira] [Created] (KAFKA-12325) Update to secure versions of scala libraries due to CVE-2017-15288 MLIST - [kafka-dev] 20210215 [jira] [Resolved] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210211 [jira] [Created] (KAFKA-12325) Update to secure versions of scala libraries due to CVE-2017-15288 MLIST - [kafka-jira] 20210211 [jira] [Updated] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210212 [jira] [Commented] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210214 [jira] [Commented] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210215 [jira] [Commented] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210215 [jira] [Resolved] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? OSSINDEX - [CVE-2017-15288] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2017-15288] Permissions, Privileges, and Access Controls Vulnerable Software & Versions: (show all )
scala-compiler-2.10.0.jar: diagrams.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/diagrams.jsMD5: 58321351be7cf563cc8321f50f9f6ae1SHA1: 85f3fafca7a08e014a90cd047a4114c95a3d43c9SHA256: e815264202c67b4d796e6e38051e0870b42e805cf1fe7fd78fc4599ed48240dfReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-compiler-2.10.0.jar: index.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/index.jsMD5: c68a4e1d74826c60d1d0875ab100fe96SHA1: 080bad3733d5774c927852b4702175c45e9816aeSHA256: 2e2064634ca2cd7da676e1ef3ef8957f4f11d3df926eab2a9aa87dbbc3ca7e52Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-compiler-2.10.0.jar: jquery-ui.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/jquery-ui.jsMD5: 2e5cf7e1e4b6ad05bfb6aead63f372f9SHA1: 81269986fe3d866d0430312c1dc18a718cc2d728SHA256: f6c8f3c1c946e8a5b8d6e129c833fbd680159b53f2413e218675e0e9a72e6c2eReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jquery-ui-dialog High Product file name jquery-ui-dialog High Version file version 1.9.0 High
Published Vulnerabilities CVE-2010-5312 suppress
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions up to (excluding) 1.10.0 CVE-2016-7103 suppress
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 16.0; versions up to (including) 16.2 cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 18.0; versions up to (including) 18.8.4 cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:* versions from (including) 1.10.0; versions up to (including) 1.11.4 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery_ui:1.10.0:beta1:*:*:*:*:*:* cpe:2.3:a:jquery:jquery_ui:1.10.0:rc1:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.0; versions up to (including) 17.12.4 cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* scala-compiler-2.10.0.jar: jquery.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/jquery.jsMD5: 0b6ecf17e30037994d3ffee51b525914SHA1: d09d3a99ed25d0f1fbe6856de9e14ffd33557256SHA256: f554d2f09272c6f71447ebfe4532d3b1dd1959bce669f9a5ccc99e64ef511729Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jquery High Product file name jquery High Version file version 1.8.2 High
Published Vulnerabilities CVE-2012-6708 suppress
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 1.9.0 CVE-2015-9251 suppress
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6 cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* CVE-2019-11358 suppress
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0 cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8 cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9 cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11 cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66 cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8 cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 CVE-2020-11022 suppress
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 CVE-2020-11023 suppress
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12 cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4 cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* scala-compiler-2.10.0.jar: jquery.layout.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/jquery.layout.jsMD5: ba42679ab5ce86e54d4f3d4d480e6609SHA1: 0be8c667d43687590cf3ec3abb8b47c4349453acSHA256: 0bd0f3fd24187c12afef6fdadc45829e8397bd86bf350bfab966c090203a657cReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-compiler-2.10.0.jar: modernizr.custom.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/modernizr.custom.jsMD5: 350aeacb2780a90495094db70b7a6d21SHA1: 0b78efd666ca58b71e87d86e83f4768ce51d6348SHA256: d7ba4db2f617af853ad324e7e1a012c43f14ec7436afad430794bb1fe11f7e99Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-compiler-2.10.0.jar: raphael-min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/raphael-min.jsMD5: ffd330bd214b7b0a8e14e613765b606eSHA1: bfd83096d2178219ccd3f8fc592ae41cdf4e822eSHA256: bc48ca793c3d326ffb5dc26272f0080516416bb772bf97072f0ee44ef0902d4aReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-compiler-2.10.0.jar: scheduler.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/scheduler.jsMD5: c8935628dd9136fbd393272f5ad4ddcfSHA1: 3bfb402f3c98e5f16614849b2fef101d86dfd36eSHA256: fc3f0dfd8c921b1bc7fe81ccc488cc019bdff330aa0ba82651c857acde10db15Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-compiler-2.10.0.jar: template.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/template.jsMD5: b30b730f804d5afceee582903f4cc26eSHA1: b5724b735c3e4e60e827417232be78831584ff70SHA256: 93021a12c274f65eeaf7bd3c81dd560e1d2a3de0e00f82104d575e344feacfb0Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-compiler-2.10.0.jar: tools.tooltip.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-compiler/2.10.0/fec8066cd2b4f8dc7ff7ba7a8e0a792939d9f9a/scala-compiler-2.10.0.jar/scala/tools/nsc/doc/html/resource/lib/tools.tooltip.jsMD5: 03e77aac18ea20591d845ec76dff56deSHA1: a792987be027c6076ba530129452482556515a9aSHA256: 57e3a83e9784ff5d76bead2740133ef115fd29eb76fc9a77f151f4674430048eReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
scala-library-2.10.7.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-library/2.10.7/ac1add55906d5b811e4dee996fc9c8fc6da6bf59/scala-library-2.10.7.jarMD5: 627b4232273c9d657cbb5b0a57f48e1eSHA1: ac1add55906d5b811e4dee996fc9c8fc6da6bf59SHA256: 691193f773eb114db18b48e94132612f4d910f11efd36c2f1547e636db96e4e5Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name scala-library High Vendor gradle groupid org.scala-lang Highest Vendor jar package name scala Highest Vendor Manifest bundle-symbolicname org.scala-lang.scala-library Medium Vendor jar package name scala Low Product file name scala-library High Product gradle artifactid scala-library Highest Product jar package name scala Highest Product Manifest Bundle-Name Scala Standard Library Medium Product Manifest bundle-symbolicname org.scala-lang.scala-library Medium Version file name scala-library Medium Version gradle version 2.10.7 Highest Version file version 2.10.7 High Version Manifest Bundle-Version 2.10.7.v20171031-225236-VFINAL-89e57bc7ad High
scala-reflect-2.10.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scala-reflect/2.10.0/10ec1256a6e875e886fec050edb0669166912d0d/scala-reflect-2.10.0.jarMD5: 807058212d45c796f30a4f6ff26acb02SHA1: 10ec1256a6e875e886fec050edb0669166912d0dSHA256: 84bae8ce3b369febb9436fe36ed9b9d7dcc51af2cc9b8a3317a33124cfd5d4a9Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name internal Low Vendor gradle groupid org.scala-lang Highest Vendor jar package name scala Highest Vendor Manifest bundle-symbolicname org.scala-lang.scala-reflect Medium Vendor jar package name reflect Low Vendor file name scala-reflect High Vendor jar package name scala Low Vendor jar package name reflect Highest Product jar package name internal Low Product jar package name scala Highest Product Manifest bundle-symbolicname org.scala-lang.scala-reflect Medium Product Manifest Bundle-Name Scala Reflect Medium Product jar package name reflect Low Product gradle artifactid scala-reflect Highest Product file name scala-reflect High Product jar package name reflect Highest Version Manifest Bundle-Version 2.10.0.v20121205-112020-VFINAL-18481cef9b High Version gradle version 2.10.0 Highest Version file version 2.10.0 High Version file name scala-reflect Medium
Published Vulnerabilities CVE-2017-15288 suppress
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges. CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv2:
Base Score: HIGH (7.2) Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - http://scala-lang.org/news/security-update-nov17.html CONFIRM - https://github.com/scala/scala/pull/6108 CONFIRM - https://github.com/scala/scala/pull/6120 CONFIRM - https://github.com/scala/scala/pull/6128 GENTOO - GLSA-201812-08 MLIST - [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [druid-commits] 20210302 [GitHub] [druid] abhishekagarwal87 opened a new pull request #10933: Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15on MLIST - [druid-commits] 20210302 [GitHub] [druid] maytasm merged pull request #10933: Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15on MLIST - [kafka-dev] 20210211 [jira] [Created] (KAFKA-12325) Update to secure versions of scala libraries due to CVE-2017-15288 MLIST - [kafka-dev] 20210215 [jira] [Resolved] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210211 [jira] [Created] (KAFKA-12325) Update to secure versions of scala libraries due to CVE-2017-15288 MLIST - [kafka-jira] 20210211 [jira] [Updated] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210212 [jira] [Commented] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210214 [jira] [Commented] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210215 [jira] [Commented] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? MLIST - [kafka-jira] 20210215 [jira] [Resolved] (KAFKA-12325) Is Kafka affected by Scala security vulnerability (CVE-2017-15288)? OSSINDEX - [CVE-2017-15288] Permissions, Privileges, and Access Controls OSSINDEX - [CVE-2017-15288] Permissions, Privileges, and Access Controls Vulnerable Software & Versions: (show all )
scalap-2.10.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.scala-lang/scalap/2.10.0/ab42ae21d1fd7311b367fe3d7f33343f2e4bff6b/scalap-2.10.0.jarMD5: 35720575a68e8553e8783dc5e7284758SHA1: ab42ae21d1fd7311b367fe3d7f33343f2e4bff6bSHA256: ca6e4c7a413af3ae9bf2685b6b637e117209bdb795f73e744136b7ed296ea950Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.scala-lang Highest Vendor jar package name scalap Low Vendor file name scalap High Vendor jar package name scala Low Vendor jar package name tools Low Product jar package name scalap Low Product gradle artifactid scalap Highest Product file name scalap High Product jar package name scalax Low Product jar package name tools Low Version file name scalap Medium Version gradle version 2.10.0 Highest Version file version 2.10.0 High
scott-data-hsqldb-0.1.jarDescription:
Scott data set in hsqldb format License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/scott-data-hsqldb/0.1/3dd0f7ea938b2d146867d4e9f270b464a46e4543/scott-data-hsqldb-0.1.jar
MD5: bccf5e8193522f2b2691c2decf2f04db
SHA1: 3dd0f7ea938b2d146867d4e9f270b464a46e4543
SHA256: 6f12fc6f1d917169852b9d68ae1d9830061d15836a9e52a10daf28220c85e6d6
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor pom artifactid scott-data-hsqldb Low Vendor jar package name net Highest Vendor jar package name hydromatic Highest Vendor jar package name data Highest Vendor jar package name scott Low Vendor jar package name scott Highest Vendor pom organization url http://www.hydromatic.net Medium Vendor pom name scott-data-hsqldb High Vendor gradle groupid net.hydromatic Highest Vendor pom groupid net.hydromatic Highest Vendor pom parent-artifactid parent Low Vendor pom url http://github.com/julianhyde/scott-data-hsqldb Highest Vendor jar package name net Low Vendor pom organization name Julian Hyde High Vendor file name scott-data-hsqldb High Vendor jar package name hydromatic Low Product pom parent-artifactid parent Medium Product pom organization name Julian Hyde Low Product jar package name net Highest Product jar package name hydromatic Highest Product jar package name data Highest Product jar package name scott Low Product jar package name scott Highest Product gradle artifactid scott-data-hsqldb Highest Product pom name scott-data-hsqldb High Product pom groupid net.hydromatic Highest Product pom url http://github.com/julianhyde/scott-data-hsqldb Medium Product pom artifactid scott-data-hsqldb Highest Product file name scott-data-hsqldb High Product jar package name hydromatic Low Product pom organization url http://www.hydromatic.net Low Product jar package name data Low Version gradle version 0.1 Highest Version pom version 0.1 Highest Version file version 0.1 High
serializer-2.7.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xalan/serializer/2.7.1/4b4b18df434451249bb65a63f2fb69e215a6a020/serializer-2.7.1.jarMD5: a6b64dfe58229bdd810263fa0cc54cffSHA1: 4b4b18df434451249bb65a63f2fb69e215a6a020SHA256: a15078d243d4a20b6b4e8ae2f61ed4655e352054e121aada6f7441f1ed445a3cReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor manifest: org/apache/xml/serializer/utils/ Implementation-Vendor Apache Software Foundation Medium Vendor jar package name apache Highest Vendor gradle groupid xalan Highest Vendor manifest: org/apache/xml/serializer/ Implementation-Vendor Apache Software Foundation Medium Vendor jar package name apache Low Vendor jar package name serializer Low Vendor jar package name xml Low Vendor file name serializer High Product jar package name serializer Highest Product jar package name apache Highest Product jar package name utils Highest Product jar package name xml Highest Product manifest: org/apache/xml/serializer/ Specification-Title XSL Transformations (XSLT), at http://www.w3.org/TR/xslt Medium Product gradle artifactid serializer Highest Product manifest: org/apache/xml/serializer/utils/ Implementation-Title org.apache.xml.serializer.utils Medium Product manifest: org/apache/xml/serializer/ Implementation-Title org.apache.xml.serializer Medium Product jar package name serializer Low Product jar package name xml Low Product file name serializer High Version file version 2.7.1 High Version manifest: org/apache/xml/serializer/ Implementation-Version 2.7.1 Medium Version manifest: org/apache/xml/serializer/utils/ Implementation-Version 2.7.1 Medium Version file name serializer Medium Version gradle version 2.7.1 Highest
Published Vulnerabilities CVE-2014-0107 (OSSINDEX) suppress
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:xalan:serializer:2.7.1:*:*:*:*:*:*:* servlet-api-2.5-20081211.jarDescription:
Servlet Specification API License:
http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/servlet-api/2.5-20081211/22bff70037e1e6fa7e6413149489552ee2064702/servlet-api-2.5-20081211.jar
MD5: 083898d794cc261853922ca941aee390
SHA1: 22bff70037e1e6fa7e6413149489552ee2064702
SHA256: 068756096996fe00f604ac3b6672d6f663dc777ea4a83056e240d0456e77e472
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name servlet Highest Vendor pom artifactid servlet-api Low Vendor pom groupid mortbay.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Vendor Manifest bundle-docurl http://www.mortbay.com Low Vendor Manifest Implementation-Vendor JCP High Vendor Manifest bundle-symbolicname org.mortbay.jetty.servlet-api Medium Vendor pom parent-groupid org.mortbay.jetty Medium Vendor file name servlet-api High Vendor pom parent-artifactid jetty-parent Low Vendor pom name Servlet Specification API High Vendor gradle groupid org.mortbay.jetty Highest Vendor Manifest originally-created-by 1.5.0_13 (Sun Microsystems Inc.) Low Product jar package name servlet Highest Product pom parent-artifactid jetty-parent Medium Product pom groupid mortbay.jetty Highest Product Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Product Manifest bundle-docurl http://www.mortbay.com Low Product Manifest bundle-symbolicname org.mortbay.jetty.servlet-api Medium Product pom parent-groupid org.mortbay.jetty Medium Product file name servlet-api High Product pom name Servlet Specification API High Product Manifest Bundle-Name Servlet Specification API Medium Product pom artifactid servlet-api Highest Product jar package name http Highest Product gradle artifactid servlet-api Highest Product Manifest originally-created-by 1.5.0_13 (Sun Microsystems Inc.) Low Version gradle version 2.5-20081211 Highest Version pom version 2.5-20081211 Highest Version pom parent-version 2.5-20081211 Low
Published Vulnerabilities CVE-2005-3747 suppress
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758. NVD-CWE-noinfo, CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2007-5615 suppress
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions:
CVE-2009-1523 suppress
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-1524 suppress
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-5048 suppress
Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2009-5049 suppress
WebApp JSP Snoop page XSS in jetty though 6.1.21. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
servlet-api-2.5-6.1.14.jarDescription:
Servlet Specification 2.5 API License:
CDDL 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.mortbay.jetty/servlet-api-2.5/6.1.14/5f07601ab7d7c85dd9e38a17c0e1b0edfbd4a191/servlet-api-2.5-6.1.14.jar
MD5: 0e13653c2c2b081afe8f92331d81ffa7
SHA1: 5f07601ab7d7c85dd9e38a17c0e1b0edfbd4a191
SHA256: 0ed33ee3051866a3a6331976cdf5098a36aefd16ec1fa2d836eb067e37d46d47
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name servlet Highest Vendor pom parent-artifactid project Low Vendor Manifest mode development Low Vendor pom groupid mortbay.jetty Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Vendor Manifest bundle-docurl http://www.mortbay.com Low Vendor Manifest Implementation-Vendor JCP High Vendor pom parent-groupid org.mortbay.jetty Medium Vendor file name servlet-api-2.5-6.1.14 High Vendor pom artifactid servlet-api-2.5 Low Vendor Manifest originally-created-by 1.5.0_16 (Apple Inc.) Low Vendor Manifest url http://jetty.mortbay.org/project/modules/servlet-api-2.5 Low Vendor pom name Servlet Specification 2.5 API High Vendor gradle groupid org.mortbay.jetty Highest Vendor Manifest bundle-symbolicname org.mortbay.jetty.servlet-api-2.5 Medium Product jar package name servlet Highest Product Manifest mode development Low Product pom groupid mortbay.jetty Highest Product Manifest Bundle-Name Servlet Specification 2.5 API Medium Product Manifest bundle-requiredexecutionenvironment J2SE-1.4 Low Product Manifest bundle-docurl http://www.mortbay.com Low Product pom parent-groupid org.mortbay.jetty Medium Product file name servlet-api-2.5-6.1.14 High Product Manifest originally-created-by 1.5.0_16 (Apple Inc.) Low Product pom parent-artifactid project Medium Product Manifest url http://jetty.mortbay.org/project/modules/servlet-api-2.5 Low Product pom name Servlet Specification 2.5 API High Product Manifest bundle-symbolicname org.mortbay.jetty.servlet-api-2.5 Medium Product jar package name http Highest Product pom artifactid servlet-api-2.5 Highest Product gradle artifactid servlet-api-2.5 Highest Version Manifest implementation-version 6.1.14 High Version gradle version 6.1.14 Highest Version pom version 6.1.14 Highest
Published Vulnerabilities CVE-2009-1523 suppress
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI. CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-1524 suppress
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4609 suppress
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4610 suppress
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the Session Dump Servlet under session/. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-4611 suppress
Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application. CWE-20 Improper Input Validation
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
CVE-2009-4612 suppress
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3) jspsnoop/IOException/, and possibly the PATH_INFO to (4) snoop.jsp. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2009-5048 suppress
Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2009-5049 suppress
WebApp JSP Snoop page XSS in jetty though 6.1.21. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2011-4461 suppress
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L References:
Vulnerable Software & Versions: (show all )
servlet-api-2.5.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.servlet/servlet-api/2.5/5959582d97d8b61f4d154ca9e495aafd16726e34/servlet-api-2.5.jarMD5: 69ca51af4e9a67a1027a7f95b52c3e8fSHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34SHA256: c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dcReferenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath piglet:default Evidence Type Source Name Value Confidence Vendor jar package name servlet Highest Vendor gradle groupid javax.servlet Highest Vendor file name servlet-api High Vendor jar package name servlet Low Vendor Manifest specification-vendor Sun Microsystems Inc Low Vendor jar package name javax Low Vendor Manifest Implementation-Vendor Sun Microsystems Inc High Vendor Manifest extension-name servlet-api Medium Product jar package name servlet Highest Product file name servlet-api High Product jar package name servlet Low Product Manifest specification-title A component of the Glassfish Application Server Medium Product gradle artifactid servlet-api Highest Product Manifest Implementation-Title High Product Manifest extension-name servlet-api Medium Version Manifest Implementation-Version 2.5 High Version file version 2.5 High
shiro-cache-1.4.0.jarDescription:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-cache/1.4.0/ae1496cbdc4cce35c87d9014723863e049f9e2b4/shiro-cache-1.4.0.jar
MD5: 1424b34527e464edb0c42f74ce68876e
SHA1: ae1496cbdc4cce35c87d9014723863e049f9e2b4
SHA256: abab87532d6139cea5a48aee34a20daa15757917a65c7032976fdc014dd4c46a
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor Manifest bundle-symbolicname org.apache.shiro.cache Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.apache.shiro Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom name Apache Shiro :: Cache High Vendor jar package name cache Highest Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor pom artifactid shiro-cache Low Vendor file name shiro-cache High Vendor pom groupid apache.shiro Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Product Manifest Bundle-Name Apache Shiro :: Cache Medium Product Manifest bundle-symbolicname org.apache.shiro.cache Medium Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache Shiro :: Cache Medium Product pom name Apache Shiro :: Cache High Product gradle artifactid shiro-cache Highest Product pom artifactid shiro-cache Highest Product jar package name cache Highest Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product file name shiro-cache High Product Manifest Implementation-Title Apache Shiro :: Cache High Product pom groupid apache.shiro Highest Product jar package name shiro Highest Product pom parent-groupid org.apache.shiro Medium Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-config-core-1.4.0.jarDescription:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-config-core/1.4.0/7d7ede51d15d346d962da9a3743064ddc9163b1d/shiro-config-core-1.4.0.jar
MD5: e0a4f21cff332ce5debddd7633b7d243
SHA1: 7d7ede51d15d346d962da9a3743064ddc9163b1d
SHA256: 77e2cf1d210f334cba0e8902d01fd2acbf61b599c39c6cf023241fc6784a82a0
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor jar package name config Highest Vendor file name shiro-config-core High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.apache.shiro Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor pom name Apache Shiro :: Configuration :: Core High Vendor Manifest bundle-symbolicname org.apache.shiro.config.core Medium Vendor pom artifactid shiro-config-core Low Vendor pom groupid apache.shiro Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Product gradle artifactid shiro-config-core Highest Product jar package name config Highest Product pom parent-artifactid shiro-root Medium Product file name shiro-config-core High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid shiro-config-core Highest Product Manifest Bundle-Name Apache Shiro :: Configuration :: Core Medium Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product pom name Apache Shiro :: Configuration :: Core High Product Manifest bundle-symbolicname org.apache.shiro.config.core Medium Product Manifest Implementation-Title Apache Shiro :: Configuration :: Core High Product pom groupid apache.shiro Highest Product jar package name shiro Highest Product Manifest specification-title Apache Shiro :: Configuration :: Core Medium Product pom parent-groupid org.apache.shiro Medium Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-config-ogdl-1.4.0.jarDescription:
Support for Shiro's Object Graph Definition Language (mostly used in Ini configuration) where
declared name/value pairs are interpreted to create an object graph License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-config-ogdl/1.4.0/28c5f1338030eed8f911f0a816a5ef2716f786a6/shiro-config-ogdl-1.4.0.jar
MD5: 1a3efbe65e8e5b20f540fcf8a73c13c4
SHA1: 28c5f1338030eed8f911f0a816a5ef2716f786a6
SHA256: d21bf04b78c69748db2fcf0315df00347bda43b65ef0aa83a7e496070c8e34f9
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor pom artifactid shiro-config-ogdl Low Vendor pom name Apache Shiro :: Configuration :: OGDL High Vendor jar package name config Highest Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.apache.shiro Highest Vendor file name shiro-config-ogdl High Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.shiro.config.core Medium Vendor pom groupid apache.shiro Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Product pom name Apache Shiro :: Configuration :: OGDL High Product jar package name config Highest Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product file name shiro-config-ogdl High Product Manifest specification-title Apache Shiro :: Configuration :: OGDL Medium Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product pom artifactid shiro-config-ogdl Highest Product Manifest Implementation-Title Apache Shiro :: Configuration :: OGDL High Product Manifest bundle-symbolicname org.apache.shiro.config.core Medium Product gradle artifactid shiro-config-ogdl Highest Product pom groupid apache.shiro Highest Product jar package name shiro Highest Product Manifest Bundle-Name Apache Shiro :: Configuration :: OGDL Medium Product pom parent-groupid org.apache.shiro Medium Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-core-1.4.0.jarDescription:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-core/1.4.0/6d05bd17e057fc12d278bb367c27f9cb0f3dc197/shiro-core-1.4.0.jar
MD5: 1268db1dcfc96e6ad1a297bda1e03eea
SHA1: 6d05bd17e057fc12d278bb367c27f9cb0f3dc197
SHA256: 1c1aa41af7a3314678154ff0456d7592bbd00f298ce3a94a417a1bd4bcfd1104
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor file name shiro-core High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.apache.shiro Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest bundle-symbolicname org.apache.shiro.core Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom name Apache Shiro :: Core High Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor pom groupid apache.shiro Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Vendor pom artifactid shiro-core Low Product file name shiro-core High Product gradle artifactid shiro-core Highest Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest specification-title Apache Shiro :: Core Medium Product Manifest Implementation-Title Apache Shiro :: Core High Product Manifest bundle-symbolicname org.apache.shiro.core Medium Product jar package name session Highest Product pom name Apache Shiro :: Core High Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product pom artifactid shiro-core Highest Product pom groupid apache.shiro Highest Product jar package name shiro Highest Product pom parent-groupid org.apache.shiro Medium Product Manifest Bundle-Name Apache Shiro :: Core Medium Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-crypto-cipher-1.4.0.jarDescription:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-crypto-cipher/1.4.0/78020924ddce7632daa3b9acb698167c240df623/shiro-crypto-cipher-1.4.0.jar
MD5: 869c982ffffd7e8dc228500dd4ece97d
SHA1: 78020924ddce7632daa3b9acb698167c240df623
SHA256: 67f8bc6f9dfa11a9c4959284f2f591dbd238ca20e1fbd1964d0c2daa69cf9ec0
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom name Apache Shiro :: Cryptography :: Ciphers High Vendor gradle groupid org.apache.shiro Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom artifactid shiro-crypto-cipher Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name shiro-crypto-cipher High Vendor jar package name crypto Highest Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.shiro.crypto.cipher Medium Vendor pom groupid apache.shiro Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Product Manifest Bundle-Name Apache Shiro :: Cryptography :: Ciphers Medium Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom name Apache Shiro :: Cryptography :: Ciphers High Product pom artifactid shiro-crypto-cipher Highest Product file name shiro-crypto-cipher High Product jar package name crypto Highest Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product gradle artifactid shiro-crypto-cipher Highest Product Manifest bundle-symbolicname org.apache.shiro.crypto.cipher Medium Product Manifest Implementation-Title Apache Shiro :: Cryptography :: Ciphers High Product Manifest specification-title Apache Shiro :: Cryptography :: Ciphers Medium Product pom groupid apache.shiro Highest Product jar package name shiro Highest Product pom parent-groupid org.apache.shiro Medium Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-crypto-core-1.4.0.jarDescription:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-crypto-core/1.4.0/7049325bba697985eee924eda03cb7971af1b808/shiro-crypto-core-1.4.0.jar
MD5: 53fc38f4845087acf364bcf9a507fdd7
SHA1: 7049325bba697985eee924eda03cb7971af1b808
SHA256: 1cba00a55eb65858ba0fd76e515d2177e6b834f37277a76afecd1cad0957d36c
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor pom name Apache Shiro :: Cryptography :: Core High Vendor gradle groupid org.apache.shiro Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor Manifest bundle-symbolicname org.apache.shiro.crypto.core Medium Vendor jar package name crypto Highest Vendor pom artifactid shiro-crypto-core Low Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor pom groupid apache.shiro Highest Vendor file name shiro-crypto-core High Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Product pom artifactid shiro-crypto-core Highest Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom name Apache Shiro :: Cryptography :: Core High Product Manifest bundle-symbolicname org.apache.shiro.crypto.core Medium Product jar package name crypto Highest Product Manifest specification-title Apache Shiro :: Cryptography :: Core Medium Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest Implementation-Title Apache Shiro :: Cryptography :: Core High Product gradle artifactid shiro-crypto-core Highest Product pom groupid apache.shiro Highest Product Manifest Bundle-Name Apache Shiro :: Cryptography :: Core Medium Product file name shiro-crypto-core High Product jar package name shiro Highest Product pom parent-groupid org.apache.shiro Medium Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-crypto-hash-1.4.0.jarDescription:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-crypto-hash/1.4.0/b767d3db10f01dfba79c04cbc9e17eae0247b9c/shiro-crypto-hash-1.4.0.jar
MD5: 66dafe1350b86759d887ab181f181759
SHA1: 0b767d3db10f01dfba79c04cbc9e17eae0247b9c
SHA256: 3a40fb67aa4c118cb3e47ca339a3094707778f0ea0c9fedca2147c9bfdb8647f
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor file name shiro-crypto-hash High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.apache.shiro Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor jar package name hash Highest Vendor jar package name crypto Highest Vendor pom name Apache Shiro :: Cryptography :: Hashing High Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor Manifest bundle-symbolicname org.apache.shiro.crypto.hash Medium Vendor pom artifactid shiro-crypto-hash Low Vendor pom groupid apache.shiro Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Product gradle artifactid shiro-crypto-hash Highest Product file name shiro-crypto-hash High Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid shiro-crypto-hash Highest Product jar package name hash Highest Product jar package name crypto Highest Product pom name Apache Shiro :: Cryptography :: Hashing High Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product Manifest bundle-symbolicname org.apache.shiro.crypto.hash Medium Product Manifest Bundle-Name Apache Shiro :: Cryptography :: Hashing Medium Product Manifest specification-title Apache Shiro :: Cryptography :: Hashing Medium Product pom groupid apache.shiro Highest Product jar package name shiro Highest Product pom parent-groupid org.apache.shiro Medium Product Manifest Implementation-Title Apache Shiro :: Cryptography :: Hashing High Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-event-1.4.0.jarDescription:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services. License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-event/1.4.0/df4e83b5200940439e0c7ba4fc145902900e2cd/shiro-event-1.4.0.jar
MD5: 2c7267be4f08a425b52287fa01687a2a
SHA1: 0df4e83b5200940439e0c7ba4fc145902900e2cd
SHA256: eed623e101d2bc5b29be2c93679504d411eedb2261b95a478cd5140d82734e7c
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.apache.shiro Highest Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest bundle-symbolicname org.apache.shiro.event Medium Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom artifactid shiro-event Low Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor pom name Apache Shiro :: Event High Vendor file name shiro-event High Vendor pom groupid apache.shiro Highest Vendor jar package name event Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Product Manifest specification-title Apache Shiro :: Event Medium Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product Manifest Implementation-Title Apache Shiro :: Event High Product pom artifactid shiro-event Highest Product Manifest bundle-symbolicname org.apache.shiro.event Medium Product Manifest Bundle-Name Apache Shiro :: Event Medium Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product pom name Apache Shiro :: Event High Product gradle artifactid shiro-event Highest Product file name shiro-event High Product pom groupid apache.shiro Highest Product jar package name event Highest Product jar package name shiro Highest Product pom parent-groupid org.apache.shiro Medium Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
shiro-lang-1.4.0.jarDescription:
The lang module encapsulates only language-specific utilities that are used by various
other modules. It exists to augment what we would have liked to see in the JDK but does not exist.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.shiro/shiro-lang/1.4.0/6895b5d14e7be7a77297336b037d7a7e79e858d6/shiro-lang-1.4.0.jar
MD5: c654a538ef466eb33aeb7ff59e027a01
SHA1: 6895b5d14e7be7a77297336b037d7a7e79e858d6
SHA256: 8d78850ff764f72803568bbe0789eee513e2dcee990f465adbfdf0916a10ea9d
Referenced In Projects/Scopes: calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id org.apache.shiro Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Vendor gradle groupid org.apache.shiro Highest Vendor Manifest bundle-symbolicname org.apache.shiro.lang Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom artifactid shiro-lang Low Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor file name shiro-lang High Vendor jar package name apache Highest Vendor Manifest bundle-docurl https://www.apache.org/ Low Vendor pom groupid apache.shiro Highest Vendor jar package name shiro Highest Vendor pom parent-groupid org.apache.shiro Medium Vendor pom parent-artifactid shiro-root Low Vendor pom name Apache Shiro :: Lang High Product pom parent-artifactid shiro-root Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))" Low Product pom artifactid shiro-lang Highest Product Manifest bundle-symbolicname org.apache.shiro.lang Medium Product Manifest Bundle-Name Apache Shiro :: Lang Medium Product file name shiro-lang High Product Manifest Implementation-Title Apache Shiro :: Lang High Product jar package name apache Highest Product Manifest bundle-docurl https://www.apache.org/ Low Product gradle artifactid shiro-lang Highest Product Manifest specification-title Apache Shiro :: Lang Medium Product pom groupid apache.shiro Highest Product jar package name shiro Highest Product pom parent-groupid org.apache.shiro Medium Product pom name Apache Shiro :: Lang High Version Manifest Implementation-Version 1.4.0 High Version Manifest Bundle-Version 1.4.0 High Version pom version 1.4.0 Highest Version gradle version 1.4.0 Highest Version file version 1.4.0 High
Published Vulnerabilities CVE-2019-12422 suppress
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions:
CVE-2020-11989 suppress
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-13933 suppress
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2020-17510 suppress
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-17523 suppress
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CWE-863 Incorrect Authorization
CVSSv2:
Base Score: HIGH (9.0) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-1957 suppress
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
sketches-core-0.9.0.jarDescription:
Sketches-core contains the core algorithms used by other repositories in the DataSketches library. File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.yahoo.datasketches/sketches-core/0.9.0/ba592b4cca8eb7dd425721acc1b5d4c034e34fa0/sketches-core-0.9.0.jarMD5: ae2f36640cd69ef20c83712c96cf017dSHA1: ba592b4cca8eb7dd425721acc1b5d4c034e34fa0SHA256: 672a7973eae372d9f6ad9dab5904292ab38a1be2b7445521a0d820a59f2ae13cReferenced In Projects/Scopes:
babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor pom artifactid sketches-core Low Vendor jar package name sketches Highest Vendor pom name ${project.parent.groupId}:${project.artifactId} High Vendor jar package name yahoo Low Vendor pom groupid yahoo.datasketches Highest Vendor file name sketches-core High Vendor pom parent-groupid com.yahoo.datasketches Medium Vendor jar package name sketches Low Vendor gradle groupid com.yahoo.datasketches Highest Vendor jar package name yahoo Highest Vendor pom parent-artifactid sketches Low Product jar package name sketches Highest Product pom artifactid sketches-core Highest Product pom name ${project.parent.groupId}:${project.artifactId} High Product pom groupid yahoo.datasketches Highest Product gradle artifactid sketches-core Highest Product file name sketches-core High Product pom parent-groupid com.yahoo.datasketches Medium Product jar package name sketches Low Product pom parent-artifactid sketches Medium Product jar package name yahoo Highest Version file version 0.9.0 High Version pom version 0.9.0 Highest Version gradle version 0.9.0 Highest
slf4j-api-1.7.25.jarDescription:
The slf4j API File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.25/da76ca59f6a57ee3102f8f9bd9cee742973efa8a/slf4j-api-1.7.25.jarMD5: caafe376afb7086dcbee79f780394ca3SHA1: da76ca59f6a57ee3102f8f9bd9cee742973efa8aSHA256: 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79Referenced In Projects/Scopes:
cassandra:compileClasspath piglet:compileClasspath piglet:runtimeClasspath spark:default splunk:default kafka:default spark:compileClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath linq4j:runtimeClasspath linq4j:default druid:compileClasspath plus:compileClasspath pig:default plus:runtimeClasspath splunk:compileClasspath function:default file:compileClasspath core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath file:runtimeClasspath elasticsearch:default kafka:compileClasspath druid:runtimeClasspath mongodb:default cassandra:default babel:default function:runtimeClasspath core:default function:compileClasspath elasticsearch:compileClasspath babel:runtimeClasspath elasticsearch:runtimeClasspath piglet:default babel:compileClasspath csv:default core:compileClasspath core:runtimeClasspath geode:default geode:compileClasspath mongodb:runtimeClasspath file:default server:default ubenchmark:jmhCompileClasspath pig:runtimeClasspath mongodb:compileClasspath server:compileClasspath geode:runtimeClasspath csv:compileClasspath csv:runtimeClasspath plus:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name slf4j Highest Vendor pom url http://www.slf4j.org Highest Vendor pom groupid slf4j Highest Vendor pom name SLF4J API Module High Vendor file name slf4j-api High Vendor pom parent-groupid org.slf4j Medium Vendor Manifest bundle-symbolicname slf4j.api Medium Vendor gradle groupid org.slf4j Highest Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor pom parent-artifactid slf4j-parent Low Vendor pom artifactid slf4j-api Low Product pom url http://www.slf4j.org Medium Product Manifest Bundle-Name slf4j-api Medium Product pom groupid slf4j Highest Product pom artifactid slf4j-api Highest Product pom name SLF4J API Module High Product gradle artifactid slf4j-api Highest Product pom parent-artifactid slf4j-parent Medium Product Manifest bundle-symbolicname slf4j.api Medium Product jar package name slf4j Highest Product file name slf4j-api High Product pom parent-groupid org.slf4j Medium Product Manifest Implementation-Title slf4j-api High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Version pom version 1.7.25 Highest Version Manifest Bundle-Version 1.7.25 High Version gradle version 1.7.25 Highest Version Manifest Implementation-Version 1.7.25 High Version file version 1.7.25 High
slf4j-api-1.7.28.jarDescription:
The slf4j API File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jarMD5: 1468c816e659d8013027d912863dc865SHA1: 2cd9b264f76e3d087ee21bfc99305928e1bdb443SHA256: fb6e4f67a2a4689e3e713584db17a5d1090c1ebe6eec30e9e0349a6ee118141eReferenced In Projects/Scopes:
innodb:compileClasspath innodb:runtimeClasspath innodb:default Evidence Type Source Name Value Confidence Vendor pom url http://www.slf4j.org Highest Vendor pom groupid slf4j Highest Vendor pom name SLF4J API Module High Vendor Manifest bundle-symbolicname slf4j.api Medium Vendor gradle groupid org.slf4j Highest Vendor Manifest automatic-module-name org.slf4j Medium Vendor jar package name slf4j Highest Vendor file name slf4j-api High Vendor pom parent-groupid org.slf4j Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor pom parent-artifactid slf4j-parent Low Vendor pom artifactid slf4j-api Low Product pom url http://www.slf4j.org Medium Product Manifest Bundle-Name slf4j-api Medium Product pom groupid slf4j Highest Product pom artifactid slf4j-api Highest Product pom name SLF4J API Module High Product gradle artifactid slf4j-api Highest Product pom parent-artifactid slf4j-parent Medium Product Manifest bundle-symbolicname slf4j.api Medium Product Manifest automatic-module-name org.slf4j Medium Product jar package name slf4j Highest Product file name slf4j-api High Product pom parent-groupid org.slf4j Medium Product Manifest Implementation-Title slf4j-api High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Version Manifest Bundle-Version 1.7.28 High Version pom version 1.7.28 Highest Version file version 1.7.28 High Version Manifest Implementation-Version 1.7.28 High Version gradle version 1.7.28 Highest
slf4j-api-1.7.30.jarDescription:
The slf4j API File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.30/b5a4b6d16ab13e34a88fae84c35cd5d68cac922c/slf4j-api-1.7.30.jarMD5: f8be00da99bc4ab64c79ab1e2be7cb7cSHA1: b5a4b6d16ab13e34a88fae84c35cd5d68cac922cSHA256: cdba07964d1bb40a0761485c6b1e8c2f8fd9eb1d19c53928ac0d7f9510105c57Referenced In Projects/Scopes:
calcite:sqllineClasspath redis:compileClasspath redis:default redis:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.slf4j.org Highest Vendor pom groupid slf4j Highest Vendor pom name SLF4J API Module High Vendor Manifest bundle-symbolicname slf4j.api Medium Vendor gradle groupid org.slf4j Highest Vendor Manifest automatic-module-name org.slf4j Medium Vendor jar package name slf4j Highest Vendor file name slf4j-api High Vendor pom parent-groupid org.slf4j Medium Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor pom parent-artifactid slf4j-parent Low Vendor pom artifactid slf4j-api Low Product pom url http://www.slf4j.org Medium Product Manifest Bundle-Name slf4j-api Medium Product pom groupid slf4j Highest Product pom artifactid slf4j-api Highest Product pom name SLF4J API Module High Product gradle artifactid slf4j-api Highest Product pom parent-artifactid slf4j-parent Medium Product Manifest bundle-symbolicname slf4j.api Medium Product Manifest automatic-module-name org.slf4j Medium Product jar package name slf4j Highest Product file name slf4j-api High Product pom parent-groupid org.slf4j Medium Product Manifest Implementation-Title slf4j-api High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Version gradle version 1.7.30 Highest Version file version 1.7.30 High Version Manifest Implementation-Version 1.7.30 High Version Manifest Bundle-Version 1.7.30 High Version pom version 1.7.30 Highest
slf4j-log4j12-1.7.25.jarDescription:
SLF4J LOG4J-12 Binding File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-log4j12/1.7.25/110cefe2df103412849d72ef7a67e4e91e4266b4/slf4j-log4j12-1.7.25.jarMD5: 7f16ba3b1ab6a781c3f6887eae7b608dSHA1: 110cefe2df103412849d72ef7a67e4e91e4266b4SHA256: ddb343954deb6f046f862606c534178730c02ed23d0b7f6ca1012c1e3fa74273Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.slf4j.org Highest Vendor pom groupid slf4j Highest Vendor jar package name log4j Highest Vendor gradle groupid org.slf4j Highest Vendor Manifest bundle-symbolicname slf4j.log4j12 Medium Vendor pom artifactid slf4j-log4j12 Low Vendor jar package name slf4j Highest Vendor pom parent-groupid org.slf4j Medium Vendor pom name SLF4J LOG4J-12 Binding High Vendor file name slf4j-log4j12 High Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor pom parent-artifactid slf4j-parent Low Product pom url http://www.slf4j.org Medium Product pom artifactid slf4j-log4j12 Highest Product jar package name log4j Highest Product Manifest Implementation-Title slf4j-log4j12 High Product pom groupid slf4j Highest Product gradle artifactid slf4j-log4j12 Highest Product pom parent-artifactid slf4j-parent Medium Product Manifest bundle-symbolicname slf4j.log4j12 Medium Product jar package name slf4j Highest Product pom parent-groupid org.slf4j Medium Product pom name SLF4J LOG4J-12 Binding High Product file name slf4j-log4j12 High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest Bundle-Name slf4j-log4j12 Medium Version pom version 1.7.25 Highest Version Manifest Bundle-Version 1.7.25 High Version gradle version 1.7.25 Highest Version Manifest Implementation-Version 1.7.25 High Version file version 1.7.25 High
slf4j-log4j12-1.7.28.jarDescription:
SLF4J LOG4J-12 Binding File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-log4j12/1.7.28/9c45c87557628d1c06d770e1382932dc781e3d5d/slf4j-log4j12-1.7.28.jarMD5: 4abb5232943c4fd9d098fdfb278c4591SHA1: 9c45c87557628d1c06d770e1382932dc781e3d5dSHA256: ad926e9a170d96519eab7553c94462d7849d55c4886c9b5d386782090e321fd6Referenced In Projects/Scopes:
innodb:compileClasspath innodb:runtimeClasspath calcite:sqllineClasspath innodb:default Evidence Type Source Name Value Confidence Vendor pom url http://www.slf4j.org Highest Vendor pom groupid slf4j Highest Vendor jar package name log4j Highest Vendor gradle groupid org.slf4j Highest Vendor Manifest bundle-symbolicname slf4j.log4j12 Medium Vendor pom artifactid slf4j-log4j12 Low Vendor jar package name slf4j Highest Vendor pom parent-groupid org.slf4j Medium Vendor pom name SLF4J LOG4J-12 Binding High Vendor file name slf4j-log4j12 High Vendor Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Vendor pom parent-artifactid slf4j-parent Low Product pom url http://www.slf4j.org Medium Product pom artifactid slf4j-log4j12 Highest Product jar package name log4j Highest Product Manifest Implementation-Title slf4j-log4j12 High Product pom groupid slf4j Highest Product gradle artifactid slf4j-log4j12 Highest Product pom parent-artifactid slf4j-parent Medium Product Manifest bundle-symbolicname slf4j.log4j12 Medium Product jar package name slf4j Highest Product pom parent-groupid org.slf4j Medium Product pom name SLF4J LOG4J-12 Binding High Product file name slf4j-log4j12 High Product Manifest bundle-requiredexecutionenvironment J2SE-1.5 Low Product Manifest Bundle-Name slf4j-log4j12 Medium Version Manifest Bundle-Version 1.7.28 High Version pom version 1.7.28 Highest Version file version 1.7.28 High Version Manifest Implementation-Version 1.7.28 High Version gradle version 1.7.28 Highest
snakeyaml-1.24.jarDescription:
YAML 1.1 parser and emitter for Java License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
MD5: 694248028b74151981bbb97c1e565843
SHA1: 13a9c0d6776483c3876e3ff9384f9bb55b17001b
SHA256: d3f7f09989d5b0ce5c4791818ef937ee7663f1e359c2ef2d312f938aad0763da
Referenced In Projects/Scopes: babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor gradle groupid org.yaml Highest Vendor jar package name parser Highest Vendor Manifest automatic-module-name org.yaml.snakeyaml Medium Vendor jar package name yaml Highest Vendor pom url http://www.snakeyaml.org Highest Vendor jar package name emitter Highest Vendor pom name SnakeYAML High Vendor Manifest bundle-symbolicname org.yaml.snakeyaml Medium Vendor file name snakeyaml High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor jar package name snakeyaml Highest Vendor pom artifactid snakeyaml Low Vendor pom groupid yaml Highest Product jar package name parser Highest Product Manifest automatic-module-name org.yaml.snakeyaml Medium Product jar package name yaml Highest Product pom artifactid snakeyaml Highest Product jar package name emitter Highest Product gradle artifactid snakeyaml Highest Product pom name SnakeYAML High Product Manifest bundle-symbolicname org.yaml.snakeyaml Medium Product file name snakeyaml High Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest Bundle-Name SnakeYAML Medium Product pom url http://www.snakeyaml.org Medium Product jar package name snakeyaml Highest Product pom groupid yaml Highest Version gradle version 1.24 Highest Version file version 1.24 High Version pom version 1.24 Highest
Published Vulnerabilities CVE-2017-18640 suppress
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564. CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
snappy-java-1.0.4.1.jarDescription:
snappy-java: A fast compression/decompression library License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.0.4.1/f88b89a5a21a466aeb0ecf0c063605bd584b4947/snappy-java-1.0.4.1.jar
MD5: 3fad0dcafbced1e3475e3ad7bdd3236b
SHA1: f88b89a5a21a466aeb0ecf0c063605bd584b4947
SHA256: 52533e94f79beacb9862bac33fa2e2fc724a8cfb2a739c33ae4ea10515f2bb86
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom organization name xerial.org High Vendor gradle groupid org.xerial.snappy Highest Vendor pom organization url http://www.xerial.org/ Medium Vendor jar package name snappy Highest Vendor pom name Snappy for Java High Vendor pom groupid xerial.snappy Highest Vendor Manifest bundle-symbolicname org.xerial.snappy.snappy-java Medium Vendor pom artifactid snappy-java Low Vendor pom url http://code.google.com/p/snappy-java/ Highest Vendor Manifest bundle-docurl http://www.xerial.org/ Low Vendor file name snappy-java High Vendor jar package name xerial Highest Product gradle artifactid snappy-java Highest Product jar package name snappy Highest Product Manifest Bundle-Name org.xerial.snappy.snappy-java Medium Product pom name Snappy for Java High Product pom groupid xerial.snappy Highest Product Manifest bundle-symbolicname org.xerial.snappy.snappy-java Medium Product pom organization url http://www.xerial.org/ Low Product pom artifactid snappy-java Highest Product pom url http://code.google.com/p/snappy-java/ Medium Product Manifest bundle-docurl http://www.xerial.org/ Low Product file name snappy-java High Product pom organization name xerial.org Low Product jar package name xerial Highest Version Manifest Bundle-Version 1.0.4.1 High Version gradle version 1.0.4.1 Highest Version file version 1.0.4.1 High Version pom version 1.0.4.1 Highest
snappy-java-1.0.4.1.jar: snappyjava.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.0.4.1/f88b89a5a21a466aeb0ecf0c063605bd584b4947/snappy-java-1.0.4.1.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dllMD5: 02d0731854ac1be878dc4d6e2555aa2dSHA1: baf474b2ad0b6873e2d99764ea61dcb42f850e24SHA256: e063f8c7329c9e95f61fac2d2c91330440cd45ff832582a46080c082fa8a0c56Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor file name snappyjava High Product file name snappyjava High
snappy-java-1.0.4.1.jar: snappyjava.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.0.4.1/f88b89a5a21a466aeb0ecf0c063605bd584b4947/snappy-java-1.0.4.1.jar/org/xerial/snappy/native/Windows/amd64/snappyjava.dllMD5: 09989290a9d23aa887ad3919c8daf6bdSHA1: 1ca8cb25c14aa3574e1c2d362e11b97b889dc466SHA256: f0bcc10fb910803d2ce1dfc36fe792066a27570ecacdeedf9d98e7b758f37b44Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor file name snappyjava High Product file name snappyjava High
snappy-java-1.1.2.6.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.2.6/48d92871ca286a47f230feb375f0bbffa83b85f6/snappy-java-1.1.2.6.jar
MD5: 238af9ae1f62970d9176fa0c4f6387fe
SHA1: 48d92871ca286a47f230feb375f0bbffa83b85f6
SHA256: 61f7bc4076be0320ab4ef076fb6d83e3f649c3caf9ffb6031654a73f9c23732f
Referenced In Projects/Scopes: spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest bundle-symbolicname org.xerial.snappy.snappy-java Medium Vendor jar package name xerial Low Vendor gradle groupid org.xerial.snappy Highest Vendor jar package name snappy Low Vendor jar package name snappy Highest Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-docurl http://www.xerial.org/ Low Vendor file name snappy-java High Vendor jar package name xerial Highest Vendor Manifest bundle-nativecode org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x86-64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=amd64,org/xerial/snappy/native/Windows/x86/snappyjava.dll;osname=win32;processor=x86,org/xerial/snappy/native/Mac/x86/libsnappyjava.jnilib;osname=macosx;processor=x86,org/xerial/snappy/native/Mac/x86_64/libsnappyjava.jnilib;osname=macosx;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=amd64,org/xerial/snappy/native/Linux/x86/libsnappyjava.so;osname=linux;processor=x86,org/xerial/snappy/native/Linux/aarch64/libsnappyjava.so;osname=linux;processor=aarch64,org/xerial/snappy/native/Linux/arm/libsnappyjava.so;osname=linux;processor=arm,org/xerial/snappy/native/Linux/ppc64/libsnappyjava.so;osname=linux;processor=ppc64,org/xerial/snappy/native/Linux/ppc64le/libsnappyjava.so;osname=linux;processor=ppc64le,org/xerial/snappy/native/Linux/s390x/libsnappyjava.so;osname=linux;processor=s390x,org/xerial/snappy/native/AIX/ppc/libsnappyjava.a;osname=aix;processor=ppc,org/xerial/snappy/native/AIX/ppc64/libsnappyjava.a;osname=aix;processor=ppc64,org/xerial/snappy/native/SunOS/x86/libsnappyjava.so;osname=sunos;processor=x86,org/xerial/snappy/native/SunOS/x86_64/libsnappyjava.so;osname=sunos;processor=x86-64,org/xerial/snappy/native/SunOS/sparc/libsnappyjava.so;osname=sunos;processor=sparc Low Product gradle artifactid snappy-java Highest Product Manifest bundle-symbolicname org.xerial.snappy.snappy-java Medium Product Manifest Bundle-Name snappy-java: A fast compression/decompression library Medium Product jar package name snappy Low Product jar package name snappy Highest Product Manifest bundle-activationpolicy lazy Low Product Manifest bundle-docurl http://www.xerial.org/ Low Product file name snappy-java High Product jar package name xerial Highest Product Manifest bundle-nativecode org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x86-64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=amd64,org/xerial/snappy/native/Windows/x86/snappyjava.dll;osname=win32;processor=x86,org/xerial/snappy/native/Mac/x86/libsnappyjava.jnilib;osname=macosx;processor=x86,org/xerial/snappy/native/Mac/x86_64/libsnappyjava.jnilib;osname=macosx;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=amd64,org/xerial/snappy/native/Linux/x86/libsnappyjava.so;osname=linux;processor=x86,org/xerial/snappy/native/Linux/aarch64/libsnappyjava.so;osname=linux;processor=aarch64,org/xerial/snappy/native/Linux/arm/libsnappyjava.so;osname=linux;processor=arm,org/xerial/snappy/native/Linux/ppc64/libsnappyjava.so;osname=linux;processor=ppc64,org/xerial/snappy/native/Linux/ppc64le/libsnappyjava.so;osname=linux;processor=ppc64le,org/xerial/snappy/native/Linux/s390x/libsnappyjava.so;osname=linux;processor=s390x,org/xerial/snappy/native/AIX/ppc/libsnappyjava.a;osname=aix;processor=ppc,org/xerial/snappy/native/AIX/ppc64/libsnappyjava.a;osname=aix;processor=ppc64,org/xerial/snappy/native/SunOS/x86/libsnappyjava.so;osname=sunos;processor=x86,org/xerial/snappy/native/SunOS/x86_64/libsnappyjava.so;osname=sunos;processor=x86-64,org/xerial/snappy/native/SunOS/sparc/libsnappyjava.so;osname=sunos;processor=sparc Low Version file name snappy-java Medium Version Manifest Bundle-Version 1.1.2.6 High Version jar package name snappy Highest Version file version 1.1.2.6 High Version gradle version 1.1.2.6 Highest Version jar package name xerial Highest
snappy-java-1.1.2.6.jar: snappyjava.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.2.6/48d92871ca286a47f230feb375f0bbffa83b85f6/snappy-java-1.1.2.6.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dllMD5: c35f7d232d05fd0b8440153cb4224a5aSHA1: 45b5f3fdd2bac156b8d100ce2c29ac7126454fefSHA256: 15fb95c2168bb78cf94f61bbff7fc0bb5611db9d8509dd1322a40d735c3109bcReferenced In Projects/Scopes:
spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name snappyjava High Product file name snappyjava High
snappy-java-1.1.2.6.jar: snappyjava.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.2.6/48d92871ca286a47f230feb375f0bbffa83b85f6/snappy-java-1.1.2.6.jar/org/xerial/snappy/native/Windows/x86_64/snappyjava.dllMD5: eae816277d795d3397f08ad43d236576SHA1: 283068f6b5cd8bb3449867558624fe19c432d909SHA256: dfcc13605edabf70e7bec87f68bc2a1c7d06bebecd72a0d4e122eee2e695948eReferenced In Projects/Scopes:
spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name snappyjava High Product file name snappyjava High
snappy-java-1.1.7.2.jarDescription:
snappy-java: A fast compression/decompression library License:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.7.2/307b286efd119ad2c6d4291128bf110bddc68088/snappy-java-1.1.7.2.jar
MD5: 43f28328017f172f727e34e08e2d5980
SHA1: 307b286efd119ad2c6d4291128bf110bddc68088
SHA256: 30c332dfd4deb20332d736d5c673614ca7654598661ec5dd0793edc2f3da3261
Referenced In Projects/Scopes: kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor Manifest bundle-nativecode org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x86-64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=amd64,org/xerial/snappy/native/Windows/x86/snappyjava.dll;osname=win32;processor=x86,org/xerial/snappy/native/Mac/x86/libsnappyjava.jnilib;osname=macosx;processor=x86,org/xerial/snappy/native/Mac/x86_64/libsnappyjava.jnilib;osname=macosx;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=amd64,org/xerial/snappy/native/Linux/x86/libsnappyjava.so;osname=linux;processor=x86,org/xerial/snappy/native/Linux/aarch64/libsnappyjava.so;osname=linux;processor=aarch64,org/xerial/snappy/native/Linux/arm/libsnappyjava.so;osname=linux;processor=arm,org/xerial/snappy/native/Linux/armv7/libsnappyjava.so;osname=linux;processor=arm_le,org/xerial/snappy/native/Linux/ppc64/libsnappyjava.so;osname=linux;processor=ppc64le,org/xerial/snappy/native/Linux/s390x/libsnappyjava.so;osname=linux;processor=s390x,org/xerial/snappy/native/AIX/ppc/libsnappyjava.a;osname=aix;processor=ppc,org/xerial/snappy/native/AIX/ppc64/libsnappyjava.a;osname=aix;processor=ppc64,org/xerial/snappy/native/SunOS/x86/libsnappyjava.so;osname=sunos;processor=x86,org/xerial/snappy/native/SunOS/x86_64/libsnappyjava.so;osname=sunos;processor=x86-64,org/xerial/snappy/native/SunOS/sparc/libsnappyjava.so;osname=sunos;processor=sparc Low Vendor Manifest bundle-symbolicname org.xerial.snappy.snappy-java Medium Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Vendor jar package name xerial Low Vendor gradle groupid org.xerial.snappy Highest Vendor jar package name snappy Low Vendor jar package name snappy Highest Vendor Manifest bundle-activationpolicy lazy Low Vendor Manifest bundle-docurl http://www.xerial.org/ Low Vendor file name snappy-java High Vendor jar package name xerial Highest Product Manifest bundle-nativecode org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x86-64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=x64,org/xerial/snappy/native/Windows/x86_64/snappyjava.dll;osname=win32;processor=amd64,org/xerial/snappy/native/Windows/x86/snappyjava.dll;osname=win32;processor=x86,org/xerial/snappy/native/Mac/x86/libsnappyjava.jnilib;osname=macosx;processor=x86,org/xerial/snappy/native/Mac/x86_64/libsnappyjava.jnilib;osname=macosx;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x86-64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=x64,org/xerial/snappy/native/Linux/x86_64/libsnappyjava.so;osname=linux;processor=amd64,org/xerial/snappy/native/Linux/x86/libsnappyjava.so;osname=linux;processor=x86,org/xerial/snappy/native/Linux/aarch64/libsnappyjava.so;osname=linux;processor=aarch64,org/xerial/snappy/native/Linux/arm/libsnappyjava.so;osname=linux;processor=arm,org/xerial/snappy/native/Linux/armv7/libsnappyjava.so;osname=linux;processor=arm_le,org/xerial/snappy/native/Linux/ppc64/libsnappyjava.so;osname=linux;processor=ppc64le,org/xerial/snappy/native/Linux/s390x/libsnappyjava.so;osname=linux;processor=s390x,org/xerial/snappy/native/AIX/ppc/libsnappyjava.a;osname=aix;processor=ppc,org/xerial/snappy/native/AIX/ppc64/libsnappyjava.a;osname=aix;processor=ppc64,org/xerial/snappy/native/SunOS/x86/libsnappyjava.so;osname=sunos;processor=x86,org/xerial/snappy/native/SunOS/x86_64/libsnappyjava.so;osname=sunos;processor=x86-64,org/xerial/snappy/native/SunOS/sparc/libsnappyjava.so;osname=sunos;processor=sparc Low Product gradle artifactid snappy-java Highest Product Manifest bundle-symbolicname org.xerial.snappy.snappy-java Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Low Product Manifest Bundle-Name snappy-java: A fast compression/decompression library Medium Product jar package name snappy Low Product jar package name snappy Highest Product Manifest bundle-activationpolicy lazy Low Product Manifest bundle-docurl http://www.xerial.org/ Low Product file name snappy-java High Product jar package name xerial Highest Version file name snappy-java Medium Version file version 1.1.7.2 High Version Manifest Bundle-Version 1.1.7.2 High Version gradle version 1.1.7.2 Highest Version jar package name snappy Highest Version jar package name xerial Highest
snappy-java-1.1.7.2.jar: snappyjava.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.7.2/307b286efd119ad2c6d4291128bf110bddc68088/snappy-java-1.1.7.2.jar/org/xerial/snappy/native/Windows/x86/snappyjava.dllMD5: 3311b452e8619f09b279575c5ebac4c7SHA1: b2ab0f778657b4ff3521d7c93e3e5b3b31b96ff9SHA256: 0be631df962e3dc0c5086869e77d00dde089dbde44ebb7a3e7a75b9f61fa2931Referenced In Projects/Scopes:
kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor file name snappyjava High Product file name snappyjava High
snappy-java-1.1.7.2.jar: snappyjava.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.xerial.snappy/snappy-java/1.1.7.2/307b286efd119ad2c6d4291128bf110bddc68088/snappy-java-1.1.7.2.jar/org/xerial/snappy/native/Windows/x86_64/snappyjava.dllMD5: 82578a05ced2f0dc97c2e6b7d350e4c4SHA1: 79d91441d17e3c81a8bf107ebc9843c642d9e278SHA256: cfc8d0ea172f838b3a7502e378baed72a3ac45020fb9772667e5dffee46d588bReferenced In Projects/Scopes:
kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor file name snappyjava High Product file name snappyjava High
spark-core_2.10-2.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jarMD5: 4a7456371c6b9289cbf8d853a13a3944SHA1: 002029009854ecb422d1ba6dc8135ba9b2be2ad1SHA256: 10f4077c72c37961ab0c4626a5d88f323eb2fc5e25741394d52d0388720dc138Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name spark-core_2.10-2.2.2 High Vendor Manifest implementation-url http://spark.apache.org/ Low Vendor pom groupid apache.spark Highest Vendor Manifest Implementation-Vendor-Id org.apache.spark Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://spark.apache.org/ Highest Vendor pom artifactid spark-core_2.10 Low Vendor gradle groupid org.apache.spark Highest Vendor jar package name apache Highest Vendor pom name Spark Project Core High Vendor pom parent-artifactid spark-parent_2.10 Low Vendor pom parent-groupid org.apache.spark Medium Vendor jar package name spark Highest Product Manifest Implementation-Title Spark Project Core High Product file name spark-core_2.10-2.2.2 High Product Manifest implementation-url http://spark.apache.org/ Low Product pom groupid apache.spark Highest Product pom artifactid spark-core_2.10 Highest Product pom parent-artifactid spark-parent_2.10 Medium Product pom url http://spark.apache.org/ Medium Product gradle artifactid spark-core_2.10 Highest Product jar package name apache Highest Product pom name Spark Project Core High Product jar package name http Highest Product Manifest specification-title Spark Project Core Medium Product pom parent-groupid org.apache.spark Medium Product jar package name spark Highest Version gradle version 2.2.2 Highest Version Manifest Implementation-Version 2.2.2 High Version pom version 2.2.2 Highest
Published Vulnerabilities CVE-2018-11760 suppress
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-11770 suppress
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (4.9) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.2) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11804 suppress
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2019-10099 suppress
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-client:9.3.11.v20160721)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-client/pom.xmlMD5: d46838228680db23b38ea6dac066efc2SHA1: 34543f2f47bac1d9019f2e58fcfc16bec334c689SHA256: cf3b1c2e7c60f47f8538c14e3fd7f1945a5ca4edce96388f3305cf3859bf3f75Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom artifactid jetty-client Low Vendor pom parent-artifactid jetty-project Low Vendor pom name Jetty :: Asynchronous HTTP Client High Product pom artifactid jetty-client Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Product pom name Jetty :: Asynchronous HTTP Client High Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-continuation:9.3.11.v20160721)Description:
Asynchronous API File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xmlMD5: 9ee71668e9a5ebe980758e881a14030dSHA1: c8446f5293a28d819b7295e2cdec61a7174698b5SHA256: 1e0271b1b03ee91e26fc3f2d09959a023b7e57c125a21df7aad0d53703cbfe63Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom name Jetty :: Continuation High Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom parent-artifactid jetty-project Low Vendor pom artifactid jetty-continuation Low Product pom parent-artifactid jetty-project Medium Product pom name Jetty :: Continuation High Product pom parent-groupid org.eclipse.jetty Medium Product pom artifactid jetty-continuation Highest Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-http:9.3.11.v20160721)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.xmlMD5: 509c2a0bad16b09c2d818fac7e2bf3e0SHA1: 6fb3a335f41a316c0e65330225d48175499586b6SHA256: c778faeacd8d36f9e77390243c84235e073b6c3e1d080076d631c6310dc1b348Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom name Jetty :: Http Utility High Vendor pom groupid eclipse.jetty Highest Vendor pom parent-artifactid jetty-project Low Vendor pom artifactid jetty-http Low Product pom artifactid jetty-http Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom name Jetty :: Http Utility High Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-9735 (OSSINDEX) suppress
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.eclipse.jetty:jetty-http:9.3.11.v20160721:*:*:*:*:*:*:* CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-io:9.3.11.v20160721)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xmlMD5: 7292c2abb073718c950e0a0e00a28e4dSHA1: a69b6b410056c1f527a0b2cefc7baed2cef4c635SHA256: 5d921425af6f925c5b6ffaed1c778b541b710f035c1dd4233402fc3152870b42Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom name Jetty :: IO Utility High Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom artifactid jetty-io Low Vendor pom parent-artifactid jetty-project Low Product pom name Jetty :: IO Utility High Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom artifactid jetty-io Highest Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2021-28165 (OSSINDEX) suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.eclipse.jetty:jetty-io:9.3.11.v20160721:*:*:*:*:*:*:* spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-plus:9.3.11.v20160721)Description:
Jetty JavaEE style services File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xmlMD5: 6c9e58f0800385b0eb50a75df9a4ebf1SHA1: d3b4d7009ca65eb972c3b644a6633d0042a343cdSHA256: 42362d2eea75c008f58b90c1fda349733977031d56ebb36a75977a045d01300eReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom name Jetty :: Plus High Vendor pom artifactid jetty-plus Low Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom parent-artifactid jetty-project Low Product pom name Jetty :: Plus High Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Product pom artifactid jetty-plus Highest Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-9735 (OSSINDEX) suppress
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.eclipse.jetty:jetty-plus:9.3.11.v20160721:*:*:*:*:*:*:* CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-proxy:9.3.11.v20160721)Description:
Jetty Proxy File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-proxy/pom.xmlMD5: 154cdc797a38914d94263bc568ab24adSHA1: 027b6432ceed5c9a130e4362eda5b2ee390a0ecfSHA256: 8f6e128f7347bee311acd750545ca0a1332af4cbf92b81a2c46ae8fe5e1431b8Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom artifactid jetty-proxy Low Vendor pom name Jetty :: Proxy High Vendor pom parent-artifactid jetty-project Low Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom groupid eclipse.jetty Highest Product pom artifactid jetty-proxy Highest Product pom name Jetty :: Proxy High Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-security:9.3.11.v20160721)Description:
Jetty security infrastructure File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-security/pom.xmlMD5: 2162ed280aaddaa7d50aa463cf645494SHA1: 4c017e6920e5a79e79424445aba656d198e41690SHA256: c4305e661fca123e5393de1519e1374c3e73a6b1620c4001bd23b78b4446150aReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom name Jetty :: Security High Vendor pom groupid eclipse.jetty Highest Vendor pom artifactid jetty-security Low Vendor pom parent-artifactid jetty-project Low Product pom artifactid jetty-security Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom name Jetty :: Security High Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-server:9.3.11.v20160721)Description:
The core jetty server artifact. File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xmlMD5: 6fed40b40a9c6428866a81aba461ce0eSHA1: f46e25f8f6c4f9ceae22f36bc5836e1ddc7cbd63SHA256: c89d09095fbad276fa96adb87ddee1d3948b5e171afc2439c05c32f366ae730eReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom parent-artifactid jetty-project Low Vendor pom artifactid jetty-server Low Vendor pom name Jetty :: Server Core High Product pom artifactid jetty-server Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Product pom name Jetty :: Server Core High Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-9735 (OSSINDEX) suppress
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.eclipse.jetty:jetty-server:9.3.11.v20160721:*:*:*:*:*:*:* CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-servlet:9.3.11.v20160721)Description:
Jetty Servlet Container File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xmlMD5: b09a07bb2a8a4dd35885b47444bae2ecSHA1: 6c1fbbb127738f47e92a9fab48e050eadd162aceSHA256: 956c469d09495e33870ab16f690e469af37714cc5782e4083ae94307d54b88a9Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Jetty :: Servlet Handling High Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom artifactid jetty-servlet Low Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom parent-artifactid jetty-project Low Product pom artifactid jetty-servlet Highest Product pom name Jetty :: Servlet Handling High Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-servlets:9.3.11.v20160721)Description:
Utility Servlets from Jetty File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-servlets/pom.xmlMD5: 2f3cee3e8eac8287b4f4cffaf5119f76SHA1: a4e5265b5a7924cdda05e470b3f5cc1b1e5c8a87SHA256: 5cf4c6c32d250994bf8226c79f0133d427d0550aef194d14f3cea5f59e171ffbReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid jetty-servlets Low Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom parent-artifactid jetty-project Low Vendor pom name Jetty :: Utility Servlets and Filters High Product pom artifactid jetty-servlets Highest Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom groupid eclipse.jetty Highest Product pom name Jetty :: Utility Servlets and Filters High Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar (shaded: org.eclipse.jetty:jetty-util:9.3.11.v20160721)Description:
Utility classes for Jetty File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xmlMD5: b418b4ce2ec43545a4fb88ca31adbb15SHA1: e721e663c73b89f71812c0416385bb610a6d1767SHA256: bb3cbd88ecb9433aa04135ce48dbb22a41ac6897905d12277d548c22b06a8390Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom name Jetty :: Utilities High Vendor pom artifactid jetty-util Low Vendor pom url http://www.eclipse.org/jetty Highest Vendor pom parent-groupid org.eclipse.jetty Medium Vendor pom groupid eclipse.jetty Highest Vendor pom parent-artifactid jetty-project Low Product pom name Jetty :: Utilities High Product pom parent-artifactid jetty-project Medium Product pom parent-groupid org.eclipse.jetty Medium Product pom artifactid jetty-util Highest Product pom groupid eclipse.jetty Highest Product pom url http://www.eclipse.org/jetty Medium Version pom version 9.3.11.v20160721 Highest
Published Vulnerabilities CVE-2017-7656 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2017-7657 suppress
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-7658 suppress
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-12536 suppress
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. NVD-CWE-noinfo
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-12545 suppress
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2019-10241 suppress
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-10247 suppress
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-27216 suppress
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. NVD-CWE-Other
CVSSv2:
Base Score: MEDIUM (4.4) Vector: /AV:L/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (7.0) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H References:
CONFIRM - https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 CONFIRM - https://security.netapp.com/advisory/ntap-20201123-0005/ MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 MLIST - [debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update MLIST - [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 MLIST - [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version MLIST - [felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63) MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty MLIST - [iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216 MLIST - [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 MLIST - [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0 MLIST - [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 MLIST - [zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... OSSINDEX - [CVE-2020-27216] In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... Vulnerable Software & Versions: (show all )
CVE-2021-28165 suppress
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
CVSSv2:
Base Score: HIGH (7.8) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w MLIST - [hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 (#49) MLIST - [hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to >= 9.4.39 due to CVE-2021-28165 MLIST - [ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty MLIST - [ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty MLIST - [kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39 MLIST - [oss-security] 20210420 Vulnerability in Jenkins MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty MLIST - [pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty MLIST - [solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr MLIST - [spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1 MLIST - [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165 MLIST - [zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 MLIST - [zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165 OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... OSSINDEX - [CVE-2021-28165] In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... Vulnerable Software & Versions: (show all )
spark-core_2.10-2.2.2.jar: additional-metrics.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/additional-metrics.jsMD5: 7fa27b76aeb0681abb2e6fe720669baeSHA1: 7eb83bced737a22b17115be924b4400b444fdbdaSHA256: c40ff9923a081ba6fcfb125db5237d7e50a03198cae783c2b6aed8abbf8a5eedReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: bootstrap-tooltip.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/bootstrap-tooltip.jsMD5: 709947628312aa8a4abaaf4e164c4f2cSHA1: f4497d890717ded6be81af60dc211dd5528be2bdSHA256: 7b4898d4fe0ee9e363ded6e1fd5ea1302c400ccd35590b863c9c7d95de71a652Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: d3.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/d3.min.jsMD5: e1b9f89cc778a8c619cde3aea8b6f9d4SHA1: 71188357fc005e40125b0ad76586c1f4bd53cffdSHA256: 3d4c7c277efd3bb019ed0aba5d2dfbe575ded9b9055b842997774bee02f2b76aReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: dagre-d3.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/dagre-d3.min.jsMD5: 2a602f00fd01dc07a0cb4def2f19850fSHA1: f7552c9cb333c9dfc81c01149f7c321ed95ae0efSHA256: f38a54a35b59d44f359e1ecdbccc457ebae3f37c5448fc007107081d518144a3Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: dataTables.bootstrap.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/dataTables.bootstrap.min.jsMD5: 0b47c89e21f255c1dd714c4acf7ff89cSHA1: a66a9406643303fc2a33d53ab773e0a76ad49f5aSHA256: a905062b971bfb70ba70dda1a454d9cb7f7389be7ff515f6eb9009c8e697a34bReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: dataTables.rowsGroup.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/dataTables.rowsGroup.jsMD5: 9473e0a904f35fdf0110d912d16d5fb7SHA1: 195a59175be1992aab636c5c641b405ba0283581SHA256: 5856c937e4fe8a921364a14de58f406788db336ed9066b3aed897c0ced755c42Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: executorspage.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/executorspage.jsMD5: 724bce5b2c0eecddb64d378a5b732052SHA1: 13cc5ea43ee83acc80112605a108598fdb60fea2SHA256: f0bbcb84cf1cab33248618670ecc265ed14d13c5138e7aa71793a70d002dace3Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: graphlib-dot.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/graphlib-dot.min.jsMD5: 4c5ef7d11656cbc9c5efa082c2cc171aSHA1: 197289ce3c78118bdeae5f312f97ed2b76cbd367SHA256: 668584b1ed5fe082dc65c895d7cf4b4b3f0868758b1bdbaf056905418594a556Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: historypage-common.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/historypage-common.jsMD5: 9a706318dfcf6b9877637077cdcbceb7SHA1: 93cb55a455d6bd69ef527bd5ec118478c1e59406SHA256: d031ee99e77b772f4e2396b8b91580dc7827f63de188512543938308cc60ec13Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: historypage.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/historypage.jsMD5: 4baeffb4082f8ba5df50a1c8e7b8de69SHA1: e57278c446c784ea868cb99bb541854eb19009a4SHA256: 97e4dba4f48b8f6424c3d6638f4f51fc0d8b99c277d2dca87c09f10c6581d9afReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: initialize-tooltips.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/initialize-tooltips.jsMD5: a7d09087f6ad4fb363268e35875c039dSHA1: 5a3e6fade32d14c4607fabd6c3c687055aeb83d2SHA256: a1accf33abb4abb4a65359b042db1c6afd92e437aa7cd08cb914590f5dd92c88Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: jquery-1.11.1.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery-1.11.1.min.jsMD5: 8101d596b2b8fa35fe3a634ea342d7c3SHA1: d6c1f41972de07b09bfa63d2e50f9ab41ec372bdSHA256: 540bc6dec1dd4b92ea4d3fb903f69eabf6d919afd48f4e312b163c28cff0f441Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name jquery High Product file name jquery High Version file version 1.11.1.min High
Published Vulnerabilities CVE-2015-9251 suppress
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:* versions up to (excluding) 7.2 cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.0 cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:* versions up to (excluding) 7.0.0.1 cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.6 cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.1; versions up to (including) 17.12 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:* versions up to (excluding) 6.1.0.4.0 cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0.1; versions up to (including) 4.3.0.4 cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:* CVE-2019-11358 suppress
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.1.0 cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.8 cpe:2.3:a:oracle:jdeveloper_and_adf:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper_and_adf:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 19.1 cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from (including) 17.7; versions up to (including) 17.12 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:diagnostic_assistant:2.12.36:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (including) 8.6.3 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.0.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:transportation_management:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.2; versions up to (including) 8.0.7 cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:application_testing_suite:13.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.11.0; versions up to (excluding) 1.11.9 cpe:2.3:a:oracle:real-time_scheduler:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 cpe:2.3:a:oracle:jdeveloper_and_adf:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_customer_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.6 cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 7.3.3; versions up to (including) 7.3.5 cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_service_level_management:13.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.6.0; versions up to (excluding) 8.6.15 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0 cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.0; versions up to (including) 6.4 cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:4.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_performance_insight:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2.0; versions up to (including) 16.2.11 cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.15 cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_ifrs_17_analyzer:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:system_utilities:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.66 cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.5.0; versions up to (excluding) 8.5.15 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:* cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:* versions from (including) 1.12.0; versions up to (excluding) 1.12.6 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:15.2.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.4; versions up to (including) 8.0.7 cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:*:*:*:*:*:*:*:* versions from (including) 8.0.5; versions up to (including) 8.0.7 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile_applications:*:*:*:*:*:*:*:* versions up to (including) 19.8 cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_mobile_workforce_management:*:*:*:*:*:*:*:* versions from (including) 2.3.0.1; versions up to (including) 2.3.0.3 CVE-2020-11022 suppress
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_supplier_collaboration_for_process:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:20.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_european_banking_authority:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:oracle:policy_automation_for_mobile_devices:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_allocation_manager_for_enterprise_profitability:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from (including) 8.0.6.0.0; versions up to (including) 8.1.0.0.0 cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_us_federal_reserve:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.9 cpe:2.3:a:oracle:financial_services_profitability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:* versions from (including) 5.0.0.0; versions up to (including) 5.6.0.0 cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_foundation:7.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_application_session_controller:3.8m0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:insurance_accounting_analyzer:8.0.9:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:* versions from (including) 12.2.0; versions up to (including) 12.2.20 cpe:2.3:a:oracle:communications_diameter_signaling_router_idih\::*:*:*:*:*:*:*:* versions from (including) 8.0.0; versions up to (including) 8.2.2 cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_asset_liability_management:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_simphony:*:*:*:*:*:*:*:* versions from (including) 19.1.0; versions up to (including) 19.1.2 cpe:2.3:a:oracle:hospitality_simphony:18.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.0.8 cpe:2.3:a:oracle:hospitality_simphony:18.2:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:* cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.2; versions up to (excluding) 3.5.0 cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_data_foundation:*:*:*:*:*:*:*:* versions from (including) 8.0.6; versions up to (including) 8.1.0 CVE-2020-11023 suppress
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions (NVD):
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:max_data:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* versions from (including) 3.0; versions up to (including) 3.1.3 cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_mobile:*:*:*:*:*:*:*:* versions up to (including) 20.12 cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.8.0; versions up to (excluding) 8.8.6 cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 16.2; versions up to (including) 16.2.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 19.12.0; versions up to (including) 19.12.4 cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:* cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* versions from (including) 2.4.0; versions up to (including) 2.10.0 cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 17.12.0; versions up to (including) 17.12.7 cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:* versions from (including) 1.0.3; versions up to (excluding) 3.5.0 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* versions up to (excluding) 9.2.5.0 cpe:2.3:a:oracle:financial_services_regulatory_reporting_for_de_nederlandsche_bank:8.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 7.0; versions up to (excluding) 7.70 cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* cpe:2.3:a:oracle:banking_enterprise_collections:*:*:*:*:*:*:*:* versions from (including) 2.7.0; versions up to (including) 2.8.0 cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:* cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* versions from (including) 8.7.0; versions up to (excluding) 8.7.14 cpe:2.3:a:oracle:communications_operations_monitor:*:*:*:*:*:*:*:* versions from (including) 4.1; versions up to (including) 4.3 cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_resources:9.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from (including) 18.8.0; versions up to (including) 18.8.9 cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:* versions up to (excluding) 20.2 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:healthcare_translational_research:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:* versions from (including) 6.1; versions up to (including) 6.4 cpe:2.3:a:oracle:rest_data_services:19c:*:*:*:-:*:*:* cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* spark-core_2.10-2.2.2.jar: jquery.blockUI.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.blockUI.min.jsMD5: d8199c4bdb9f8a6bdfb27f3e3e4d1385SHA1: 2accb3541d62d724734aa65cbb7a8f6dc959b00eSHA256: 5b6f08f589840a27b74ec78944a46aa55e58812a99c5aa634aed6b45041a1761Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: jquery.cookies.2.2.0.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.cookies.2.2.0.min.jsMD5: 03b9574487d06f8f8513f95758c7cab3SHA1: 90a61ac9835905ebec2bb1499dd0b0de894f8045SHA256: 10fdbfbb18a947e7024457f52fd2dfe94ebddd612156c886731474b02aa45d23Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: jquery.dataTables.1.10.4.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.dataTables.1.10.4.min.jsMD5: 6eb613493f10a4bf9f11863e79aded88SHA1: 31393b03e8b31b3d77dbc824d2eca935492c041eSHA256: e16d5c26379abd4f6dedb8fbe42db785b3170613f31d709352d8aa54b743ca9fReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: jquery.mustache.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jquery.mustache.jsMD5: 148abb4a8b728e5c7b92106904277e78SHA1: 16102aa3b01a5f6b18f500df8c6de53374838f76SHA256: 370a5ba97e24ac11723727ad83a00b821c9d0f1a1729b85537bb18b67bc70255Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name mustache.js High Product file name mustache.js High Version file version 0.8.1 High
Published Vulnerabilities mustache.js bug: pull request 530 (RETIREJS) suppress
weakness in HTML escaping Unscored:
References:
spark-core_2.10-2.2.2.jar: jsonFormatter.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/jsonFormatter.min.jsMD5: beca83ee888fc4e974d0069b5e94b6eaSHA1: 0795631699a4d227e3cf13398792d54c0f4e4eb2SHA256: 182aaeba495cc66257d9c46ea68df28139bd6f02eb97695341ef4dae69dd0539Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: log-view.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/log-view.jsMD5: efe8661ce20a440c0cef49fd2065a619SHA1: 209be33395581d7910508e7d5fbcf34128276410SHA256: 70aa723cc996ac25cf0e33914fec32545cd6013f4cab35ed1d031d26ab3508d4Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: sorttable.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/sorttable.jsMD5: 8d85fe2d93f0c9e2823b9ecc00094a00SHA1: 04cfb707c2bb77b50f3dc87ce3e78646f4765d30SHA256: 94761e7b1c4ad7423a09f334f6a2fa6e6ac2faf354ced60984a0b88f423f95f3Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: spark-dag-viz.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/spark-dag-viz.jsMD5: 5bd6afd0f6a84724900815d9bca46579SHA1: c02bc10e545436dae6b5cd3a1b59b25d614cfdc9SHA256: 8797a36ba1d907c2203ccff6315db6a5385e9c2fc259925eb2cb2dd288c86c7cReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: table.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/table.jsMD5: a5898f0bcd5ec1686d1d72f47c524909SHA1: 33a086242b5716193ce7382be92e4e25fc0c47d1SHA256: 0fd719ead123ad6eacae5373bb1ccb7fd6339ea816adcaceae822f8d578e21c6Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: timeline-view.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/timeline-view.jsMD5: 8f9f8a705ff1730e615cc257cc36cd73SHA1: f47f3bd914191f5491f2ef6a4442a7cb03568e0aSHA256: 2f887f4c95b8f2226145dab55d4ae78b2bea76c763e8aa9d93f61b0a3a8a9aacReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: utils.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/utils.jsMD5: 0e92f5f593121fdaeb9bd616e5c45926SHA1: 1c249c68df177d83dfee902a77908ecfc1ae5b1cSHA256: 5d0103d19b129c0bd2058fb36aaf6f9cd1df2ec5b56939b1048ec7732a3429e0Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: vis.min.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/vis.min.jsMD5: 8f16db863f54b83e1a0a33d2b2249c79SHA1: 15c8115cdd5e9d70183f7995aa84a8c498c5a5e6SHA256: 7b461b95eaf9aedbb6e4765a2913a75ffe086d8c5b45d12c18a96fd43c55edc4Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-core_2.10-2.2.2.jar: webui.jsFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-core_2.10/2.2.2/2029009854ecb422d1ba6dc8135ba9b2be2ad1/spark-core_2.10-2.2.2.jar/org/apache/spark/ui/static/webui.jsMD5: b3a978c3fe27a3b75db21c937f1de61aSHA1: b918ea863f1b904628457f8d6ee11e0aa063e406SHA256: 32eb7c5409ecfc34a7249c5b549cb842a39b7c797689f9ebb095e0adb932d68dReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence
spark-launcher_2.10-2.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-launcher_2.10/2.2.2/5362ba56171849ce261d8504d0a8870f369f2441/spark-launcher_2.10-2.2.2.jarMD5: 692d3018a03e0467434728c0b25a1e17SHA1: 5362ba56171849ce261d8504d0a8870f369f2441SHA256: 105cbd8b62d7c61194ed51aef8588d5f09e0e12e62d68c1d852caf9255149b75Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest implementation-url http://spark.apache.org/ Low Vendor pom name Spark Project Launcher High Vendor pom groupid apache.spark Highest Vendor Manifest Implementation-Vendor-Id org.apache.spark Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://spark.apache.org/ Highest Vendor gradle groupid org.apache.spark Highest Vendor jar package name apache Highest Vendor pom artifactid spark-launcher_2.10 Low Vendor pom parent-artifactid spark-parent_2.10 Low Vendor file name spark-launcher_2.10-2.2.2 High Vendor pom parent-groupid org.apache.spark Medium Vendor jar package name spark Highest Vendor jar package name launcher Highest Product Manifest implementation-url http://spark.apache.org/ Low Product pom name Spark Project Launcher High Product pom groupid apache.spark Highest Product Manifest specification-title Spark Project Launcher Medium Product pom parent-artifactid spark-parent_2.10 Medium Product Manifest Implementation-Title Spark Project Launcher High Product pom url http://spark.apache.org/ Medium Product jar package name apache Highest Product gradle artifactid spark-launcher_2.10 Highest Product file name spark-launcher_2.10-2.2.2 High Product pom parent-groupid org.apache.spark Medium Product pom artifactid spark-launcher_2.10 Highest Product jar package name spark Highest Product jar package name launcher Highest Version gradle version 2.2.2 Highest Version Manifest Implementation-Version 2.2.2 High Version pom version 2.2.2 Highest
Published Vulnerabilities CVE-2018-11760 suppress
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-11770 suppress
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (4.9) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.2) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11804 suppress
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2019-10099 suppress
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
spark-network-common_2.10-2.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-common_2.10/2.2.2/21c00bf2f87048dcb6b128c7a5c8ea18e9582333/spark-network-common_2.10-2.2.2.jarMD5: 46a327ba516a170b8ca37484b8b00fb2SHA1: 21c00bf2f87048dcb6b128c7a5c8ea18e9582333SHA256: 4a62f40962c62782c10a11570ea228a661386aa8c29df438880b90fa17707964Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name spark-network-common_2.10-2.2.2 High Vendor Manifest implementation-url http://spark.apache.org/ Low Vendor pom groupid apache.spark Highest Vendor pom name Spark Project Networking High Vendor Manifest Implementation-Vendor-Id org.apache.spark Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://spark.apache.org/ Highest Vendor gradle groupid org.apache.spark Highest Vendor jar package name network Highest Vendor jar package name apache Highest Vendor pom parent-artifactid spark-parent_2.10 Low Vendor pom artifactid spark-network-common_2.10 Low Vendor pom parent-groupid org.apache.spark Medium Vendor jar package name spark Highest Product file name spark-network-common_2.10-2.2.2 High Product gradle artifactid spark-network-common_2.10 Highest Product Manifest implementation-url http://spark.apache.org/ Low Product pom groupid apache.spark Highest Product pom name Spark Project Networking High Product pom parent-artifactid spark-parent_2.10 Medium Product pom url http://spark.apache.org/ Medium Product pom artifactid spark-network-common_2.10 Highest Product jar package name network Highest Product jar package name apache Highest Product Manifest Implementation-Title Spark Project Networking High Product Manifest specification-title Spark Project Networking Medium Product pom parent-groupid org.apache.spark Medium Product jar package name spark Highest Version gradle version 2.2.2 Highest Version Manifest Implementation-Version 2.2.2 High Version pom version 2.2.2 Highest
Published Vulnerabilities CVE-2018-11760 suppress
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-11770 suppress
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (4.9) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.2) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11804 suppress
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2019-10099 suppress
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
spark-network-common_2.10-2.2.2.jar (shaded: com.google.guava:guava:14.0.1)Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has two code dependencies - javax.annotation
per the JSR-305 spec and javax.inject per the JSR-330 spec.
File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-common_2.10/2.2.2/21c00bf2f87048dcb6b128c7a5c8ea18e9582333/spark-network-common_2.10-2.2.2.jar/META-INF/maven/com.google.guava/guava/pom.xmlMD5: b9406eec5781ea391a26972c394bf129SHA1: 7b4c8f117c11a8f1fcaf4f1b0fd07cbe756a1430SHA256: 3dd4a992d53eb524a1c6546a24b853b332b26520755e26b25d38100131424b7bReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid guava Low Vendor pom name Guava: Google Core Libraries for Java High Vendor pom groupid google.guava Highest Vendor pom parent-groupid com.google.guava Medium Vendor pom parent-artifactid guava-parent Low Product pom name Guava: Google Core Libraries for Java High Product pom artifactid guava Highest Product pom groupid google.guava Highest Product pom parent-groupid com.google.guava Medium Product pom parent-artifactid guava-parent Medium Version pom version 14.0.1 Highest
Published Vulnerabilities CVE-2018-10237 suppress
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. CWE-770 Allocation of Resources Without Limits or Throttling
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H References:
CONFIRM - https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion MISC - https://www.oracle.com/security-alerts/cpujan2021.html MISC - https://www.oracle.com/security-alerts/cpujul2020.html MLIST - [activemq-gitbox] 20190530 [GitHub] [activemq-artemis] brusdev opened a new pull request #2687: ARTEMIS-2359 Upgrade to Guava 24.1 MLIST - [activemq-issues] 20190516 [jira] [Created] (AMQ-7208) Security Issue related to Guava 18.0 MLIST - [activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar MLIST - [cassandra-commits] 20190612 [jira] [Assigned] (CASSANDRA-14760) CVE-2018-10237 Security vulnerability in 3.11.3 MLIST - [cxf-dev] 20200206 [GitHub] [cxf] davidkarlsen opened a new pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200206 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200211 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200420 [GitHub] [cxf] andrei-ivanov commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200420 [GitHub] [cxf] coheigea commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [cxf-dev] 20200420 [GitHub] [cxf] reta commented on a change in pull request #638: upgrade guava, CVE-2018-10237 MLIST - [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities MLIST - [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities MLIST - [flink-dev] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [flink-dev] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-issues] 20200806 [jira] [Created] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-issues] 20200814 [jira] [Commented] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-issues] 20210212 [jira] [Closed] (FLINK-18841) CVE-2018-10237 and CWE-400 occurred in flink dependency MLIST - [flink-user] 20200806 Dependency vulnerabilities with Apache Flink 1.10.1 version MLIST - [hadoop-common-dev] 20190401 Update guava to 27.0-jre in hadoop-project MLIST - [hadoop-common-dev] 20200623 Update guava to 27.0-jre in hadoop branch-2.10 MLIST - [hadoop-hdfs-dev] 20190401 Update guava to 27.0-jre in hadoop-project MLIST - [kafka-users] 20200413 CVEs for the dependency software guava and rocksdbjni of Kafka MLIST - [lucene-issues] 20201022 [jira] [Created] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava MLIST - [lucene-issues] 20201022 [jira] [Resolved] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava MLIST - [lucene-issues] 20201022 [jira] [Updated] (SOLR-14960) Solr-clustering is bringing in CVE-2018-10237 vulnerable guava MLIST - [maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core MLIST - [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 MLIST - [pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities MLIST - [samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes MLIST - [storm-issues] 20210315 [jira] [Created] (STORM-3754) Upgrade Guava version because of security vulnerability MLIST - [syncope-dev] 20200423 Re: Time to cut 2.1.6 / 2.0.15? N/A - N/A OSSINDEX - [CVE-2018-10237] Deserialization of Untrusted Data REDHAT - RHSA-2018:2423 REDHAT - RHSA-2018:2424 REDHAT - RHSA-2018:2425 REDHAT - RHSA-2018:2428 REDHAT - RHSA-2018:2598 REDHAT - RHSA-2018:2643 REDHAT - RHSA-2018:2740 REDHAT - RHSA-2018:2741 REDHAT - RHSA-2018:2742 REDHAT - RHSA-2018:2743 REDHAT - RHSA-2018:2927 REDHAT - RHSA-2019:2858 REDHAT - RHSA-2019:3149 SECTRACK - 1041707 Vulnerable Software & Versions: (show all )
CVE-2020-8908 suppress
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. CWE-732 Incorrect Permission Assignment for Critical Resource
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: LOW (3.3) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References:
Vulnerable Software & Versions: (show all )
spark-network-shuffle_2.10-2.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-shuffle_2.10/2.2.2/150b7893eec6f82a3900590c529f7b2a6e5d50f5/spark-network-shuffle_2.10-2.2.2.jarMD5: 8dd59d468492eef90575a4fb2717ada6SHA1: 150b7893eec6f82a3900590c529f7b2a6e5d50f5SHA256: 94b3d80767a0f5dc06056bb1bce9824ca5478fcdf736f43ec7f8e86afdc1cda2Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest implementation-url http://spark.apache.org/ Low Vendor pom groupid apache.spark Highest Vendor pom artifactid spark-network-shuffle_2.10 Low Vendor Manifest Implementation-Vendor-Id org.apache.spark Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor pom name Spark Project Shuffle Streaming Service High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://spark.apache.org/ Highest Vendor file name spark-network-shuffle_2.10-2.2.2 High Vendor gradle groupid org.apache.spark Highest Vendor jar package name network Highest Vendor jar package name apache Highest Vendor pom parent-artifactid spark-parent_2.10 Low Vendor pom parent-groupid org.apache.spark Medium Vendor jar package name shuffle Highest Vendor jar package name spark Highest Product Manifest implementation-url http://spark.apache.org/ Low Product gradle artifactid spark-network-shuffle_2.10 Highest Product pom groupid apache.spark Highest Product pom parent-artifactid spark-parent_2.10 Medium Product pom name Spark Project Shuffle Streaming Service High Product pom artifactid spark-network-shuffle_2.10 Highest Product pom url http://spark.apache.org/ Medium Product file name spark-network-shuffle_2.10-2.2.2 High Product Manifest specification-title Spark Project Shuffle Streaming Service Medium Product jar package name network Highest Product jar package name apache Highest Product jar package name shuffle Highest Product pom parent-groupid org.apache.spark Medium Product Manifest Implementation-Title Spark Project Shuffle Streaming Service High Product jar package name spark Highest Version gradle version 2.2.2 Highest Version Manifest Implementation-Version 2.2.2 High Version pom version 2.2.2 Highest
Published Vulnerabilities CVE-2018-11760 suppress
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-11770 suppress
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (4.9) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.2) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11804 suppress
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2019-10099 suppress
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
spark-tags_2.10-2.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-tags_2.10/2.2.2/4df319abe6fcff45bed83a43877c7bdb032e5ee0/spark-tags_2.10-2.2.2.jarMD5: 1a761e9070979d7ffb914c95636af725SHA1: 4df319abe6fcff45bed83a43877c7bdb032e5ee0SHA256: ea47eeb2c107a63a29ec234a746b5d5f8be8c2433a396a8d5c3c3a1d5618823aReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest implementation-url http://spark.apache.org/ Low Vendor pom groupid apache.spark Highest Vendor Manifest Implementation-Vendor-Id org.apache.spark Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://spark.apache.org/ Highest Vendor gradle groupid org.apache.spark Highest Vendor jar package name apache Highest Vendor pom name Spark Project Tags High Vendor pom parent-artifactid spark-parent_2.10 Low Vendor file name spark-tags_2.10-2.2.2 High Vendor pom parent-groupid org.apache.spark Medium Vendor jar package name spark Highest Vendor pom artifactid spark-tags_2.10 Low Product Manifest Implementation-Title Spark Project Tags High Product Manifest implementation-url http://spark.apache.org/ Low Product pom groupid apache.spark Highest Product pom artifactid spark-tags_2.10 Highest Product pom parent-artifactid spark-parent_2.10 Medium Product gradle artifactid spark-tags_2.10 Highest Product Manifest specification-title Spark Project Tags Medium Product pom url http://spark.apache.org/ Medium Product jar package name apache Highest Product pom name Spark Project Tags High Product file name spark-tags_2.10-2.2.2 High Product pom parent-groupid org.apache.spark Medium Product jar package name spark Highest Version gradle version 2.2.2 Highest Version Manifest Implementation-Version 2.2.2 High Version pom version 2.2.2 Highest
Published Vulnerabilities CVE-2018-11760 suppress
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-11770 suppress
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (4.9) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.2) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11804 suppress
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2019-10099 suppress
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
spark-unsafe_2.10-2.2.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-unsafe_2.10/2.2.2/e1eea755909a18bc15b6c49321e5ad9b66a4e6ee/spark-unsafe_2.10-2.2.2.jarMD5: 0abfa8a25b8b7909d44d188dc135763aSHA1: e1eea755909a18bc15b6c49321e5ad9b66a4e6eeSHA256: c75c6ddb3efaeec5055032d8862ebb139ee18091447336b0cacb959211b73772Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest implementation-url http://spark.apache.org/ Low Vendor pom artifactid spark-unsafe_2.10 Low Vendor pom groupid apache.spark Highest Vendor Manifest Implementation-Vendor-Id org.apache.spark Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor Manifest specification-vendor The Apache Software Foundation Low Vendor pom url http://spark.apache.org/ Highest Vendor pom name Spark Project Unsafe High Vendor file name spark-unsafe_2.10-2.2.2 High Vendor gradle groupid org.apache.spark Highest Vendor jar package name apache Highest Vendor pom parent-artifactid spark-parent_2.10 Low Vendor pom parent-groupid org.apache.spark Medium Vendor jar package name spark Highest Vendor jar package name unsafe Highest Product Manifest specification-title Spark Project Unsafe Medium Product Manifest implementation-url http://spark.apache.org/ Low Product pom groupid apache.spark Highest Product Manifest Implementation-Title Spark Project Unsafe High Product pom parent-artifactid spark-parent_2.10 Medium Product pom name Spark Project Unsafe High Product pom url http://spark.apache.org/ Medium Product file name spark-unsafe_2.10-2.2.2 High Product pom artifactid spark-unsafe_2.10 Highest Product jar package name apache Highest Product pom parent-groupid org.apache.spark Medium Product jar package name spark Highest Product gradle artifactid spark-unsafe_2.10 Highest Product jar package name unsafe Highest Version gradle version 2.2.2 Highest Version Manifest Implementation-Version 2.2.2 High Version pom version 2.2.2 Highest
Published Vulnerabilities CVE-2018-11760 suppress
When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (2.1) Vector: /AV:L/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-11770 suppress
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'. CWE-287 Improper Authentication
CVSSv2:
Base Score: MEDIUM (4.9) Vector: /AV:N/AC:M/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.2) Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-11804 suppress
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code. CWE-20 Improper Input Validation
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions:
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2019-10099 suppress
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs. CWE-310 Cryptographic Issues
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
spring-aop-4.3.23.RELEASE.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-aop/4.3.23.RELEASE/f49489bf0774db690f85588cab86d943069704bd/spring-aop-4.3.23.RELEASE.jarMD5: 60a74c8e5684240897eb7297e79ba75dSHA1: f49489bf0774db690f85588cab86d943069704bdSHA256: efb768361d2dc4976a889e96a076f4fe61b390dfc7e50530624d1352159f3bceReferenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor hint analyzer vendor pivotal software Highest Vendor jar package name springframework Low Vendor gradle groupid org.springframework Highest Vendor file name spring-aop High Vendor jar package name aop Low Product jar package name aop Highest Product Manifest Implementation-Title spring-aop High Product gradle artifactid spring-aop Highest Product file name spring-aop High Product jar package name aop Low Version Manifest Implementation-Version 4.3.23.RELEASE High Version file version 4.3.23.release High
Published Vulnerabilities CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210513-0009/ CONFIRM - https://tanzu.vmware.com/security/cve-2020-5421 MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246) MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [ignite-user] 20201117 Query on CVE-2020-5421 MLIST - [ignite-user] 20201119 Re: Query on CVE-2020-5421 MLIST - [pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... Vulnerable Software & Versions: (show all )
spring-beans-4.3.23.RELEASE.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/4.3.23.RELEASE/27570e1d493f636c910191004f822e756a9df871/spring-beans-4.3.23.RELEASE.jarMD5: 4e16d0773ff7136bb2bfc0e8fe0f817eSHA1: 27570e1d493f636c910191004f822e756a9df871SHA256: b7669884ddd511fde96b4b2529a467167ee07dc7124b60c40d3a8850bcdaff53Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor hint analyzer vendor pivotal software Highest Vendor jar package name beans Low Vendor jar package name springframework Low Vendor gradle groupid org.springframework Highest Vendor file name spring-beans High Vendor jar package name factory Low Product jar package name beans Highest Product Manifest Implementation-Title spring-beans High Product jar package name beans Low Product file name spring-beans High Product gradle artifactid spring-beans Highest Product jar package name factory Low Version Manifest Implementation-Version 4.3.23.RELEASE High Version file version 4.3.23.release High
Published Vulnerabilities CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210513-0009/ CONFIRM - https://tanzu.vmware.com/security/cve-2020-5421 MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246) MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [ignite-user] 20201117 Query on CVE-2020-5421 MLIST - [ignite-user] 20201119 Re: Query on CVE-2020-5421 MLIST - [pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... Vulnerable Software & Versions: (show all )
spring-context-4.3.23.RELEASE.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.3.23.RELEASE/337d1030cb7abeeb28618b01dab7250a90d77151/spring-context-4.3.23.RELEASE.jarMD5: ed9191ca00726652469d6ad7ec733c79SHA1: 337d1030cb7abeeb28618b01dab7250a90d77151SHA256: 65ef4ceb685119082e5c750e67c325ee8087d26930a594804c427b101d3b0b87Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name spring-context High Vendor hint analyzer vendor pivotal software Highest Vendor jar package name springframework Low Vendor gradle groupid org.springframework Highest Product file name spring-context High Product gradle artifactid spring-context Highest Product jar package name context Highest Product Manifest Implementation-Title spring-context High Version Manifest Implementation-Version 4.3.23.RELEASE High Version file version 4.3.23.release High
Published Vulnerabilities CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210513-0009/ CONFIRM - https://tanzu.vmware.com/security/cve-2020-5421 MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246) MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [ignite-user] 20201117 Query on CVE-2020-5421 MLIST - [ignite-user] 20201119 Re: Query on CVE-2020-5421 MLIST - [pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... Vulnerable Software & Versions: (show all )
spring-core-4.3.23.RELEASE.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/4.3.23.RELEASE/1481429d44ea0deca1d8b9d6d5e948cb7f063bdb/spring-core-4.3.23.RELEASE.jarMD5: 4092f5dbb7fe5ab537790d432ac21db1SHA1: 1481429d44ea0deca1d8b9d6d5e948cb7f063bdbSHA256: 0eaab0b2f45c8af339a43e491fc710b2f7f9ee9979bed5e5a39a2ebd267e921eReferenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor hint analyzer vendor pivotal software Highest Vendor jar package name springframework Low Vendor gradle groupid org.springframework Highest Vendor file name spring-core High Vendor hint analyzer vendor SpringSource Highest Vendor hint analyzer vendor vmware Highest Vendor jar package name core Low Product jar package name core Highest Product file name spring-core High Product gradle artifactid spring-core Highest Product hint analyzer product springsource_spring_framework Highest Product Manifest Implementation-Title spring-core High Product jar package name core Low Version Manifest Implementation-Version 4.3.23.RELEASE High Version file version 4.3.23.release High
Published Vulnerabilities CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210513-0009/ CONFIRM - https://tanzu.vmware.com/security/cve-2020-5421 MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246) MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [ignite-user] 20201117 Query on CVE-2020-5421 MLIST - [ignite-user] 20201119 Re: Query on CVE-2020-5421 MLIST - [pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... Vulnerable Software & Versions: (show all )
spring-expression-4.3.23.RELEASE.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/4.3.23.RELEASE/cebdf400b3c820220deb868a84bce627eb8ad18c/spring-expression-4.3.23.RELEASE.jarMD5: d7ff44d171407bb960a1e89e5b0893d6SHA1: cebdf400b3c820220deb868a84bce627eb8ad18cSHA256: c2e144e446956b897b91b153b7a3676fe5d0bf07b407b337961fb38c83ac21b1Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor hint analyzer vendor pivotal software Highest Vendor jar package name springframework Low Vendor gradle groupid org.springframework Highest Vendor jar package name spel Low Vendor file name spring-expression High Vendor jar package name expression Low Product jar package name expression Highest Product Manifest Implementation-Title spring-expression High Product jar package name spel Low Product gradle artifactid spring-expression Highest Product file name spring-expression High Product jar package name expression Low Version Manifest Implementation-Version 4.3.23.RELEASE High Version file version 4.3.23.release High
Published Vulnerabilities CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210513-0009/ CONFIRM - https://tanzu.vmware.com/security/cve-2020-5421 MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246) MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [ignite-user] 20201117 Query on CVE-2020-5421 MLIST - [ignite-user] 20201119 Re: Query on CVE-2020-5421 MLIST - [pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... Vulnerable Software & Versions: (show all )
spring-shell-1.2.0.RELEASE.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework.shell/spring-shell/1.2.0.RELEASE/d94047721f292bd5334b5654e8600cef4b845049/spring-shell-1.2.0.RELEASE.jarMD5: b9b3e0fb847f7f6de20d53e653e36d5bSHA1: d94047721f292bd5334b5654e8600cef4b845049SHA256: fe9f2b19a40d55fa140bb14bfd17addb6771bb074576e43496bf9b5b7427e73cReferenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name spring-shell High Vendor hint analyzer vendor pivotal software Highest Vendor jar package name springframework Low Vendor gradle groupid org.springframework.shell Highest Vendor jar package name shell Low Product file name spring-shell High Product jar package name shell Highest Product gradle artifactid spring-shell Highest Product jar package name shell Low Product Manifest Implementation-Title spring-shell High Version Manifest Implementation-Version 1.2.0.RELEASE High Version file version 1.2.0.release High
spring-web-4.3.23.RELEASE.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/4.3.23.RELEASE/7690431d7f2175a8a825997b38d1433560d1a434/spring-web-4.3.23.RELEASE.jarMD5: 19c712c3abef89b79e3d3a124d643ed4SHA1: 7690431d7f2175a8a825997b38d1433560d1a434SHA256: ee4fe2afef84e32b292b6427b7e90c5484cdc558db491ca8b33362465de7bb11Referenced In Projects/Scopes:
calcite:sqllineClasspath geode:default geode:compileClasspath geode:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name spring-web High Vendor hint analyzer vendor pivotal software Highest Vendor jar package name springframework Low Vendor gradle groupid org.springframework Highest Vendor jar package name web Low Product file name spring-web High Product gradle artifactid spring-web Highest Product Manifest Implementation-Title spring-web High Product jar package name web Highest Product jar package name web Low Version Manifest Implementation-Version 4.3.23.RELEASE High Version file version 4.3.23.release High
Published Vulnerabilities CVE-2020-5421 suppress
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. NVD-CWE-noinfo
CVSSv2:
Base Score: LOW (3.6) Vector: /AV:N/AC:H/Au:S/C:P/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N References:
CONFIRM - https://security.netapp.com/advisory/ntap-20210513-0009/ CONFIRM - https://tanzu.vmware.com/security/cve-2020-5421 MISC - https://www.oracle.com/security-alerts/cpujan2021.html MLIST - [ambari-commits] 20201019 [ambari] branch branch-2.7 updated: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 (dlysnichenko) (#3246) MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko merged pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-dev] 20201019 [GitHub] [ambari] dlysnichenko opened a new pull request #3246: AMBARI-25571. Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201013 [jira] [Created] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [ambari-issues] 20201021 [jira] [Resolved] (AMBARI-25571) Vulnerable Spring components in Ambari - CVE-2020-5398, CVE-2020-5421 MLIST - [hive-dev] 20201022 [jira] [Created] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Assigned] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20201022 [jira] [Updated] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [hive-issues] 20210107 [jira] [Resolved] (HIVE-24303) Upgrade spring framework to 4.3.29.RELEASE+ due to CVE-2020-5421 MLIST - [ignite-user] 20201117 Query on CVE-2020-5421 MLIST - [ignite-user] 20201119 Re: Query on CVE-2020-5421 MLIST - [pulsar-commits] 20201022 [GitHub] [pulsar] Ghatage opened a new pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201023 [GitHub] [pulsar] Ghatage commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201026 [GitHub] [pulsar] wolfstudy commented on pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [pulsar-commits] 20201028 [GitHub] [pulsar] merlimat merged pull request #8355: [Issue 8354][pulsar-io] Upgrade spring framework version to patch CVE-2020-5421 MLIST - [ranger-dev] 20201007 Re: Review Request 72934: RANGER-3022: Upgrade Spring framework to version 4.3.29.RELEASE OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... OSSINDEX - [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.... Vulnerable Software & Versions: (show all )
sqlline-1.11.0.jarDescription:
Shell for issuing SQL to relational databases via JDBC License:
Modified BSD License: https://opensource.org/licenses/BSD-3-Clause File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/sqlline/sqlline/1.11.0/9b277de54dea77e861f51854ac432ade4fd18899/sqlline-1.11.0.jar
MD5: 4022ecec2ddc5f5363e19951718387a6
SHA1: 9b277de54dea77e861f51854ac432ade4fd18899
SHA256: 5451b46c60132c706ce6b754754b329dc08dc0ccdc2bdd80c1c0198e0ac603e5
Referenced In Project/Scope: calcite:sqllineClasspath
Evidence Type Source Name Value Confidence Vendor pom name sqlline High Vendor gradle groupid sqlline Highest Vendor jar package name sqlline Highest Vendor pom organization url julianhyde Medium Vendor Manifest build-jdk-spec 11 Low Vendor pom parent-artifactid parent Low Vendor pom url julianhyde/sqlline Highest Vendor file name sqlline High Vendor Manifest specification-vendor Julian Hyde Low Vendor pom groupid sqlline Highest Vendor pom organization name Julian Hyde High Vendor pom artifactid sqlline Low Vendor Manifest Implementation-Vendor Julian Hyde High Vendor pom parent-groupid net.hydromatic Medium Product pom name sqlline High Product pom parent-artifactid parent Medium Product pom organization name Julian Hyde Low Product jar package name sqlline Highest Product Manifest build-jdk-spec 11 Low Product gradle artifactid sqlline Highest Product pom url julianhyde/sqlline High Product file name sqlline High Product pom groupid sqlline Highest Product Manifest specification-title sqlline Medium Product pom url julianhyde High Product pom artifactid sqlline Highest Product pom parent-groupid net.hydromatic Medium Product Manifest Implementation-Title sqlline High Version file version 1.11.0 High Version pom version 1.11.0 Highest Version gradle version 1.11.0 Highest Version Manifest Implementation-Version 1.11.0 High Version pom parent-version 1.11.0 Low
stax-api-1.0-2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.xml.stream/stax-api/1.0-2/d6337b0de8b25e53e81b922352fbea9f9f57ba0b/stax-api-1.0-2.jarMD5: 7d18b63063580284c3f5734081fdc99fSHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0bSHA256: e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name stax-api High Vendor jar package name stream Low Vendor jar package name javax Low Vendor gradle groupid javax.xml.stream Highest Vendor jar package name xml Low Product file name stax-api High Product gradle artifactid stax-api Highest Product jar package name stream Low Product jar package name xml Low Version file version 1.0.2 High Version file name stax-api Medium Version gradle version 1.0-2 Highest
stream-2.7.0.jarDescription:
A library for summarizing data in streams for which it is infeasible to store all events License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.clearspring.analytics/stream/2.7.0/9998f8cf87d329fef226405f8d519638cfe1431d/stream-2.7.0.jar
MD5: 02fc1abdf3c14a1d759c3ac799b54cec
SHA1: 9998f8cf87d329fef226405f8d519638cfe1431d
SHA256: eb66267be63bba45f3e9d4e143bc32906db595dbbedafb62842e7ea340796e01
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name analytics Highest Vendor gradle groupid com.clearspring.analytics Highest Vendor jar package name stream Highest Vendor pom url addthis/stream-lib Highest Vendor pom groupid clearspring.analytics Highest Vendor jar package name clearspring Highest Vendor jar package name clearspring Low Vendor jar package name stream Low Vendor pom artifactid stream Low Vendor pom name stream-lib High Vendor file name stream High Vendor jar package name analytics Low Product pom artifactid stream Highest Product jar package name analytics Highest Product jar package name stream Low Product jar package name stream Highest Product pom name stream-lib High Product gradle artifactid stream Highest Product pom url addthis/stream-lib High Product pom groupid clearspring.analytics Highest Product jar package name clearspring Highest Product file name stream High Product jar package name analytics Low Version pom version 2.7.0 Highest Version gradle version 2.7.0 Highest Version file version 2.7.0 High
stringtemplate-3.2.1.jarDescription:
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.antlr/stringtemplate/3.2.1/59ec8083721eae215c6f3caee944c410d2be34de/stringtemplate-3.2.1.jar
MD5: b58ca53e518a92a1991eb63b61917582
SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
SHA256: f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath pig:runtimeClasspath piglet:default pig:default pig:compileClasspath Evidence Type Source Name Value Confidence Vendor pom url http://www.stringtemplate.org Highest Vendor pom artifactid stringtemplate Low Vendor jar package name stringtemplate Highest Vendor pom name ANTLR StringTemplate High Vendor jar package name language Low Vendor file name stringtemplate High Vendor gradle groupid org.antlr Highest Vendor pom groupid antlr Highest Vendor jar package name antlr Highest Vendor jar package name antlr Low Vendor jar package name stringtemplate Low Product pom url http://www.stringtemplate.org Medium Product jar package name stringtemplate Highest Product pom name ANTLR StringTemplate High Product jar package name language Low Product file name stringtemplate High Product gradle artifactid stringtemplate Highest Product pom groupid antlr Highest Product jar package name antlr Highest Product jar package name stringtemplate Low Product pom artifactid stringtemplate Highest Version file version 3.2.1 High Version gradle version 3.2.1 Highest Version pom version 3.2.1 Highest
tpcds-0.4.jarDescription:
Port of the TPC-DS data generator to Java License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/net.hydromatic/tpcds/0.4/f379d199ad056b8b374370181ff9e9581fb5e931/tpcds-0.4.jar
MD5: 194b806636dad31c70b4e9c7c7c5afcb
SHA1: f379d199ad056b8b374370181ff9e9581fb5e931
SHA256: 0c5f8e6e13bd528531dcec568c72937f14165b95c4348a20055f6ea880b18dc3
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name net Highest Vendor jar package name hydromatic Highest Vendor pom organization url http://www.hydromatic.net Medium Vendor pom url http://github.com/julianhyde/tpcds Highest Vendor jar package name tpcds Highest Vendor gradle groupid net.hydromatic Highest Vendor pom groupid net.hydromatic Highest Vendor pom artifactid tpcds Low Vendor file name tpcds High Vendor jar package name net Low Vendor jar package name tpcds Low Vendor pom organization name Julian Hyde High Vendor jar package name hydromatic Low Vendor pom name tpcds High Product pom organization name Julian Hyde Low Product jar package name net Highest Product gradle artifactid tpcds Highest Product jar package name hydromatic Highest Product pom artifactid tpcds Highest Product jar package name tpcds Highest Product pom groupid net.hydromatic Highest Product file name tpcds High Product pom url http://github.com/julianhyde/tpcds Medium Product jar package name tpcds Low Product jar package name hydromatic Low Product pom organization url http://www.hydromatic.net Low Product pom name tpcds High Version file version 0.4 High Version pom version 0.4 Highest Version gradle version 0.4 Highest
tpcds-1.2.jarDescription:
Java based generator for TPC-DS data License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.teradata.tpcds/tpcds/1.2/1126480765c57e1636c6cfd776d560fa1c115274/tpcds-1.2.jar
MD5: d9b463cec07688427a41679dce67a609
SHA1: 1126480765c57e1636c6cfd776d560fa1c115274
SHA256: 08463e70b4b0282b5fb1970bd73dd1c3b407d34b78bbb12ea4071056a507d884
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id com.teradata.tpcds Medium Vendor Manifest git-commit-id b2252a62e56d71081c9956b197ab37df32c322d4 Low Vendor jar package name generator Highest Vendor gradle groupid com.teradata.tpcds Highest Vendor jar package name tpcds Highest Vendor pom url https://github.td.teradata.com/center-for-hadoop/tpcds Highest Vendor pom artifactid tpcds Low Vendor file name tpcds High Vendor pom parent-artifactid airbase Low Vendor jar package name teradata Highest Vendor pom parent-groupid io.airlift Medium Vendor pom groupid teradata.tpcds Highest Vendor Manifest build-time 2017-07-05T16:45:22-0400 Low Vendor pom name tpcds High Product Manifest Implementation-Title tpcds High Product Manifest git-commit-id b2252a62e56d71081c9956b197ab37df32c322d4 Low Product pom url https://github.td.teradata.com/center-for-hadoop/tpcds Medium Product gradle artifactid tpcds Highest Product Manifest specification-title tpcds Medium Product pom artifactid tpcds Highest Product jar package name generator Highest Product jar package name tpcds Highest Product file name tpcds High Product jar package name teradata Highest Product pom parent-groupid io.airlift Medium Product pom groupid teradata.tpcds Highest Product pom parent-artifactid airbase Medium Product Manifest build-time 2017-07-05T16:45:22-0400 Low Product pom name tpcds High Version file version 1.2 High Version Manifest Implementation-Version 1.2 High Version pom version 1.2 Highest Version gradle version 1.2 Highest Version pom parent-version 1.2 Low
tpch-1.0.jarDescription:
Port of TPC-H dbgen to Java License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0 File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/io.prestosql.tpch/tpch/1.0/ae465d43254717c3211a613c9f1fa2a3c97641df/tpch-1.0.jar
MD5: bc5537dcdaf548f1f312633a6468eb90
SHA1: ae465d43254717c3211a613c9f1fa2a3c97641df
SHA256: 0f55e2ee3302ba0bf9966d65295f6fa534898aad2d9067f0c656d5a14d1ca566
Referenced In Projects/Scopes: calcite:sqllineClasspath plus:compileClasspath plus:default plus:runtimeClasspath Evidence Type Source Name Value Confidence Vendor Manifest Implementation-Vendor-Id io.prestosql.tpch Medium Vendor pom name tpch High Vendor gradle groupid io.prestosql.tpch Highest Vendor pom artifactid tpch Low Vendor jar package name tpch Highest Vendor pom parent-artifactid airbase Low Vendor pom groupid io.prestosql.tpch Highest Vendor Manifest git-commit-id b66b4b54f7f8e5c7f212b26815c6c0d82e32eab9 Low Vendor Manifest build-time 2020-01-17T12:07:03-0800 Low Vendor file name tpch High Vendor pom parent-groupid io.airlift Medium Vendor pom url prestosql/tpch Highest Vendor jar package name io Highest Vendor jar package name prestosql Highest Product pom name tpch High Product jar package name tpch Highest Product pom groupid io.prestosql.tpch Highest Product Manifest Implementation-Title tpch High Product Manifest specification-title tpch Medium Product Manifest git-commit-id b66b4b54f7f8e5c7f212b26815c6c0d82e32eab9 Low Product Manifest build-time 2020-01-17T12:07:03-0800 Low Product file name tpch High Product pom parent-groupid io.airlift Medium Product pom artifactid tpch Highest Product pom parent-artifactid airbase Medium Product jar package name io Highest Product gradle artifactid tpch Highest Product jar package name prestosql Highest Product pom url prestosql/tpch High Version file version 1.0 High Version pom version 1.0 Highest Version gradle version 1.0 Highest Version Manifest Implementation-Version 1.0 High Version pom parent-version 1.0 Low
trove4j-1.0.20181211.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.jetbrains.intellij.deps/trove4j/1.0.20181211/216c2e14b070f334479d800987affe4054cd563f/trove4j-1.0.20181211.jarMD5: 5cc726d08f3d05f7a7cadd4c20c2de78SHA1: 216c2e14b070f334479d800987affe4054cd563fSHA256: affb7c85a3c87bdcf69ff1dbb84de11f63dc931293934bc08cd7ab18de083601Referenced In Project/Scope: core:kotlinCompilerClasspath
Evidence Type Source Name Value Confidence Vendor gradle groupid org.jetbrains.intellij.deps Highest Vendor jar package name trove Low Vendor file name trove4j High Vendor jar package name gnu Low Product gradle artifactid trove4j Highest Product jar package name trove Low Product file name trove4j High Version file name trove4j Medium Version gradle version 1.0.20181211 Highest Version file version 1.0.20181211 High
unused-1.0.0.jarLicense:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.spark-project.spark/unused/1.0.0/205fe37a2fade6ce6dfcf8eff57ed21a4a1c22af/unused-1.0.0.jar
MD5: 763373ce9fe48581d4f2b8ffca35bb82
SHA1: 205fe37a2fade6ce6dfcf8eff57ed21a4a1c22af
SHA256: 00fd27fc9bde701581e7dcf5b95981d9e749a1c176bb8bfcd49f675768ff6bf0
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor file name unused High Vendor jar package name spark Low Vendor gradle groupid org.spark-project.spark Highest Vendor pom artifactid unused Low Vendor pom name empty High Vendor jar package name unused Low Vendor jar package name apache Low Vendor pom groupid spark-project.spark Highest Vendor jar package name spark Highest Vendor jar package name unused Highest Product gradle artifactid unused Highest Product file name unused High Product jar package name spark Low Product pom name empty High Product jar package name unused Low Product jar package name unusedstubclass Low Product pom groupid spark-project.spark Highest Product pom artifactid unused Highest Product jar package name spark Highest Product jar package name unused Highest Version pom version 1.0.0 Highest Version file version 1.0.0 High Version gradle version 1.0.0 Highest
Related Dependencies spark-unsafe_2.10-2.2.2.jar (shaded: org.spark-project.spark:unused:1.0.0)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-unsafe_2.10/2.2.2/e1eea755909a18bc15b6c49321e5ad9b66a4e6ee/spark-unsafe_2.10-2.2.2.jar/META-INF/maven/org.spark-project.spark/unused/pom.xml MD5: d6ad388404a779317ba64758c10c1282 SHA1: 988830f707d4513a2b95dd615b3c5892d9037d27 SHA256: 4f0bcc57995c466e871e9ff03940188f2a66aa5ed36076d66e81886635c79824 pkg:maven/org.spark-project.spark/unused@1.0.0 spark-launcher_2.10-2.2.2.jar (shaded: org.spark-project.spark:unused:1.0.0)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-launcher_2.10/2.2.2/5362ba56171849ce261d8504d0a8870f369f2441/spark-launcher_2.10-2.2.2.jar/META-INF/maven/org.spark-project.spark/unused/pom.xml MD5: d6ad388404a779317ba64758c10c1282 SHA1: 988830f707d4513a2b95dd615b3c5892d9037d27 SHA256: 4f0bcc57995c466e871e9ff03940188f2a66aa5ed36076d66e81886635c79824 pkg:maven/org.spark-project.spark/unused@1.0.0 spark-network-shuffle_2.10-2.2.2.jar (shaded: org.spark-project.spark:unused:1.0.0)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-shuffle_2.10/2.2.2/150b7893eec6f82a3900590c529f7b2a6e5d50f5/spark-network-shuffle_2.10-2.2.2.jar/META-INF/maven/org.spark-project.spark/unused/pom.xml MD5: d6ad388404a779317ba64758c10c1282 SHA1: 988830f707d4513a2b95dd615b3c5892d9037d27 SHA256: 4f0bcc57995c466e871e9ff03940188f2a66aa5ed36076d66e81886635c79824 pkg:maven/org.spark-project.spark/unused@1.0.0 spark-network-common_2.10-2.2.2.jar (shaded: org.spark-project.spark:unused:1.0.0)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-network-common_2.10/2.2.2/21c00bf2f87048dcb6b128c7a5c8ea18e9582333/spark-network-common_2.10-2.2.2.jar/META-INF/maven/org.spark-project.spark/unused/pom.xml MD5: d6ad388404a779317ba64758c10c1282 SHA1: 988830f707d4513a2b95dd615b3c5892d9037d27 SHA256: 4f0bcc57995c466e871e9ff03940188f2a66aa5ed36076d66e81886635c79824 pkg:maven/org.spark-project.spark/unused@1.0.0 spark-tags_2.10-2.2.2.jar (shaded: org.spark-project.spark:unused:1.0.0)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.spark/spark-tags_2.10/2.2.2/4df319abe6fcff45bed83a43877c7bdb032e5ee0/spark-tags_2.10-2.2.2.jar/META-INF/maven/org.spark-project.spark/unused/pom.xml MD5: d6ad388404a779317ba64758c10c1282 SHA1: 988830f707d4513a2b95dd615b3c5892d9037d27 SHA256: 4f0bcc57995c466e871e9ff03940188f2a66aa5ed36076d66e81886635c79824 pkg:maven/org.spark-project.spark/unused@1.0.0 Published Vulnerabilities CVE-2017-7678 suppress
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not an attack on Spark itself, but on the user, who may then execute the script inadvertently when viewing elements of the Spark web UIs. CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (6.1) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N References:
Vulnerable Software & Versions:
CVE-2018-1334 suppress
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. CWE-200 Information Exposure
CVSSv2:
Base Score: LOW (1.9) Vector: /AV:L/AC:M/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: MEDIUM (4.7) Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2018-17190 suppress
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected. NVD-CWE-noinfo
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
CVE-2020-9480 suppress
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc). CWE-287 Improper Authentication
CVSSv2:
Base Score: HIGH (9.3) Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSv3:
Base Score: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions:
uzaygezen-core-0.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.google.uzaygezen/uzaygezen-core/0.2/611b82d4c4b4f67cc3d83cf0697ec660fcee2fff/uzaygezen-core-0.2.jarMD5: e7c07491e229b40738ba0d4be05cedcaSHA1: 611b82d4c4b4f67cc3d83cf0697ec660fcee2fffSHA256: 29aabe951d220f03b3789332f9f455ca2eba953c91ecef8aa06f76f458cedc4eReferenced In Projects/Scopes:
babel:default piglet:runtimeClasspath spark:default splunk:default function:runtimeClasspath kafka:default redis:runtimeClasspath server:runtimeClasspath cassandra:runtimeClasspath druid:default spark:runtimeClasspath core:default babel:runtimeClasspath elasticsearch:runtimeClasspath innodb:default piglet:default pig:default plus:runtimeClasspath function:default csv:default core:implementationDependenciesMetadata kafka:runtimeClasspath splunk:runtimeClasspath core:compileClasspath file:runtimeClasspath innodb:runtimeClasspath calcite:sqllineClasspath core:runtimeClasspath geode:default elasticsearch:default druid:runtimeClasspath mongodb:runtimeClasspath file:default server:default pig:runtimeClasspath mongodb:default redis:default geode:runtimeClasspath csv:runtimeClasspath plus:default cassandra:default Evidence Type Source Name Value Confidence Vendor pom groupid google.uzaygezen Highest Vendor jar package name google Highest Vendor pom name Uzaygezen-core High Vendor jar package name uzaygezen Low Vendor pom parent-groupid com.google.uzaygezen Medium Vendor gradle groupid com.google.uzaygezen Highest Vendor pom parent-artifactid uzaygezen Low Vendor jar package name core Highest Vendor jar package name uzaygezen Highest Vendor jar package name google Low Vendor pom artifactid uzaygezen-core Low Vendor jar package name core Low Vendor file name uzaygezen-core High Product pom groupid google.uzaygezen Highest Product jar package name google Highest Product pom parent-artifactid uzaygezen Medium Product pom name Uzaygezen-core High Product jar package name uzaygezen Low Product pom parent-groupid com.google.uzaygezen Medium Product jar package name core Highest Product jar package name uzaygezen Highest Product gradle artifactid uzaygezen-core Highest Product pom artifactid uzaygezen-core Highest Product jar package name core Low Product file name uzaygezen-core High Version pom version 0.2 Highest Version file version 0.2 High Version gradle version 0.2 Highest
validation-api-1.1.0.Final.jarDescription:
Bean Validation API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/javax.validation/validation-api/1.1.0.Final/8613ae82954779d518631e05daa73a6a954817d5/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256: f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom artifactid validation-api Low Vendor gradle groupid javax.validation Highest Vendor jar package name javax Highest Vendor Manifest bundle-symbolicname javax.validation.api Medium Vendor pom name Bean Validation API High Vendor pom groupid javax.validation Highest Vendor file name validation-api High Vendor jar package name validation Highest Vendor pom url http://beanvalidation.org Highest Product pom artifactid validation-api Highest Product jar package name javax Highest Product Manifest bundle-symbolicname javax.validation.api Medium Product pom name Bean Validation API High Product gradle artifactid validation-api Highest Product pom groupid javax.validation Highest Product file name validation-api High Product Manifest Bundle-Name Bean Validation API Medium Product jar package name validation Highest Product pom url http://beanvalidation.org Medium Version Manifest Bundle-Version 1.1.0.Final High Version pom version 1.1.0.Final Highest Version gradle version 1.1.0.Final Highest
xalan-2.7.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xalan/xalan/2.7.1/75f1d83ce27bab5f29fff034fc74aa9f7266f22a/xalan-2.7.1.jarMD5: d43aad24f2c143b675292ccfef487f9cSHA1: 75f1d83ce27bab5f29fff034fc74aa9f7266f22aSHA256: 55a2e95144acf1abe44fea91c2948525c9b1f00fcaa1d10e753e92872ffbdd1eReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor manifest: org/apache/regexp/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xalan/xsltc/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: java_cup/runtime/ Implementation-Vendor Princeton University Medium Vendor manifest: org/apache/xml/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/apache/xalan/ Implementation-Vendor Apache Software Foundation Medium Vendor jar package name apache Highest Vendor manifest: org/apache/bcel/ Implementation-Vendor Apache Software Foundation Medium Vendor gradle groupid xalan Highest Vendor file name xalan High Vendor jar package name apache Low Vendor manifest: org/apache/xpath/ Implementation-Vendor Apache Software Foundation Medium Product manifest: org/apache/bcel/ Specification-Title Byte Code Engineering Library Medium Product jar package name bcel Highest Product jar package name code Highest Product manifest: org/apache/bcel/ Implementation-Title org.apache.bcel Medium Product manifest: org/apache/xml/ Implementation-Title org.apache.xml Medium Product jar package name expression Highest Product manifest: org/apache/regexp/ Implementation-Title org.apache.regexp Medium Product manifest: java_cup/runtime/ Implementation-Title runtime Medium Product jar package name apache Highest Product jar package name xml Highest Product jar package name runtime Highest Product jar package name regexp Highest Product jar package name xsltc Highest Product gradle artifactid xalan Highest Product manifest: java_cup/runtime/ Specification-Title Runtime component of JCup Medium Product manifest: org/apache/xalan/xsltc/ Implementation-Title org.apache.xalan.xsltc Medium Product file name xalan High Product manifest: org/apache/xalan/ Specification-Title Java API for XML Processing Medium Product manifest: org/apache/regexp/ Specification-Title Java Regular Expression package Medium Product jar package name xalan Highest Product manifest: org/apache/xpath/ Implementation-Title org.apache.xpath Medium Product manifest: org/apache/xalan/ Implementation-Title org.apache.xalan Medium Product manifest: org/apache/xalan/xsltc/ Specification-Title Java API for XML Processing Medium Product jar package name xpath Highest Version manifest: org/apache/xalan/ Implementation-Version 2.7.1 Medium Version manifest: java_cup/runtime/ Implementation-Version 2.7.1 Medium Version file version 2.7.1 High Version manifest: org/apache/bcel/ Implementation-Version 2.7.1 Medium Version file name xalan Medium Version manifest: org/apache/regexp/ Implementation-Version 2.7.1 Medium Version manifest: org/apache/xalan/xsltc/ Implementation-Version 2.7.1 Medium Version manifest: org/apache/xpath/ Implementation-Version 2.7.1 Medium Version manifest: org/apache/xml/ Implementation-Version 2.7.1 Medium Version gradle version 2.7.1 Highest
Published Vulnerabilities CVE-2014-0107 suppress
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. CWE-264 Permissions, Privileges, and Access Controls
CVSSv2:
Base Score: HIGH (7.5) Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P References:
Vulnerable Software & Versions: (show all )
xbean-asm5-shaded-4.4.jarDescription:
Repackaged and shaded asm 5.x jars License:
http://asm.ow2.org/license.html
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.xbean/xbean-asm5-shaded/4.4/a413bb5a8571d4c86a47e8a0272ba7ab0d1a17f5/xbean-asm5-shaded-4.4.jar
MD5: a7f12ad12043241dd36239ff9a77dff6
SHA1: a413bb5a8571d4c86a47e8a0272ba7ab0d1a17f5
SHA256: 7d41dde216615b6c08adafe16e73598cd4ebfaa090394ae692dda8094576952a
Referenced In Projects/Scopes: calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid org.apache.xbean Highest Vendor jar package name asm5 Highest Vendor pom name Apache XBean :: ASM 5 shaded (repackaged) High Vendor pom parent-groupid org.apache.xbean Medium Vendor jar package name xbean Highest Vendor Manifest bundle-symbolicname org.apache.xbean.asm5-shaded Medium Vendor Manifest bundle-docurl http://geronimo.apache.org/maven/xbean/4.4/xbean-asm5-shaded Low Vendor jar package name apache Highest Vendor pom parent-artifactid xbean Low Vendor file name xbean-asm5-shaded High Vendor pom artifactid xbean-asm5-shaded Low Vendor pom groupid apache.xbean Highest Product jar package name asm5 Highest Product pom name Apache XBean :: ASM 5 shaded (repackaged) High Product pom parent-groupid org.apache.xbean Medium Product jar package name xbean Highest Product Manifest bundle-symbolicname org.apache.xbean.asm5-shaded Medium Product Manifest Bundle-Name Apache XBean :: ASM 5 shaded (repackaged) Medium Product Manifest bundle-docurl http://geronimo.apache.org/maven/xbean/4.4/xbean-asm5-shaded Low Product Manifest Implementation-Title Apache XBean :: ASM 5 shaded (repackaged) High Product jar package name apache Highest Product gradle artifactid xbean-asm5-shaded Highest Product pom parent-artifactid xbean Medium Product pom artifactid xbean-asm5-shaded Highest Product file name xbean-asm5-shaded High Product pom groupid apache.xbean Highest Version Manifest Implementation-Version 4.4 High Version pom version 4.4 Highest Version file version 4.4 High Version gradle version 4.4 Highest
xbean-asm5-shaded-4.4.jar (shaded: org.apache.xbean:xbean-asm-util:4.4)File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.xbean/xbean-asm5-shaded/4.4/a413bb5a8571d4c86a47e8a0272ba7ab0d1a17f5/xbean-asm5-shaded-4.4.jar/META-INF/maven/org.apache.xbean/xbean-asm-util/pom.xmlMD5: 9f1e70369ed5331452bbe458628f1393SHA1: 9419eadb931dccfdd4c068a6d4dab350428be837SHA256: de7d6f5da2734d5b1006d5fbbdb758a52f9dfd81484b3724c547e5a4df8bfc63Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor pom parent-groupid org.apache.xbean Medium Vendor pom parent-artifactid xbean Low Vendor pom name Apache XBean :: ASM 5 Util High Vendor pom groupid apache.xbean Highest Vendor pom artifactid xbean-asm-util Low Product pom parent-groupid org.apache.xbean Medium Product pom artifactid xbean-asm-util Highest Product pom parent-artifactid xbean Medium Product pom name Apache XBean :: ASM 5 Util High Product pom groupid apache.xbean Highest Version pom version 4.4 Highest
xercesImpl-2.9.1.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.9.1/7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6/xercesImpl-2.9.1.jarMD5: f807f86d7d9db25edbfc782aca7ca2a9SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6SHA256: 6ae540a7c85c814ac64bea48016b3a6f45c95d4765f547fcc0053dc36c94ed5cReferenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor gradle groupid xerces Highest Vendor manifest: org/apache/xerces/xni/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/validation/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/xpath/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/parsers/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/xml/sax/ Implementation-Vendor David Megginson Medium Vendor manifest: org/w3c/dom/ Implementation-Vendor World Wide Web Consortium Medium Vendor manifest: org/apache/xerces/impl/Version.class Implementation-Vendor Apache Software Foundation Medium Vendor jar package name apache Highest Vendor file name xercesImpl High Vendor manifest: javax/xml/transform/ Implementation-Vendor Apache Software Foundation Medium Vendor jar package name apache Low Vendor manifest: org/w3c/dom/ls/ Implementation-Vendor World Wide Web Consortium Medium Vendor manifest: javax/xml/datatype/ Implementation-Vendor Apache Software Foundation Medium Vendor jar package name xerces Low Product manifest: org/xml/sax/ Specification-Title Simple API for XML Medium Product jar package name impl Highest Product manifest: javax/xml/datatype/ Specification-Title Java API for XML Processing Medium Product manifest: org/apache/xerces/xni/ Specification-Title Xerces Native Interface Medium Product jar package name parsers Highest Product manifest: org/xml/sax/ Implementation-Title org.xml.sax Medium Product jar package name apache Highest Product jar package name version Highest Product manifest: org/apache/xerces/impl/Version.class Implementation-Title org.apache.xerces.impl.Version Medium Product jar package name w3c Highest Product jar package name xml Highest Product manifest: javax/xml/transform/ Implementation-Title javax.xml.transform Medium Product jar package name xerces Low Product gradle artifactid xercesImpl Highest Product jar package name validation Highest Product manifest: javax/xml/datatype/ Implementation-Title javax.xml.datatype Medium Product manifest: javax/xml/parsers/ Specification-Title Java API for XML Processing Medium Product jar package name dom Highest Product manifest: javax/xml/validation/ Implementation-Title javax.xml.validation Medium Product jar package name xerces Highest Product manifest: javax/xml/transform/ Specification-Title Java API for XML Processing Medium Product jar package name datatype Highest Product manifest: javax/xml/validation/ Specification-Title Java API for XML Processing Medium Product manifest: org/w3c/dom/ Specification-Title Document Object Model, Level 3 Core Medium Product manifest: org/w3c/dom/ls/ Implementation-Title org.w3c.dom.ls Medium Product jar package name xni Highest Product manifest: org/w3c/dom/ls/ Specification-Title Document Object Model, Level 3 Load and Save Medium Product file name xercesImpl High Product manifest: org/apache/xerces/xni/ Implementation-Title org.apache.xerces.xni Medium Product manifest: javax/xml/parsers/ Implementation-Title javax.xml.parsers Medium Product manifest: org/w3c/dom/ Implementation-Title org.w3c.dom Medium Product manifest: javax/xml/xpath/ Implementation-Title javax.xml.xpath Medium Product jar package name xpath Highest Product manifest: javax/xml/xpath/ Specification-Title Java API for XML Processing Medium Version gradle version 2.9.1 Highest Version manifest: javax/xml/xpath/ Implementation-Version 1.3.04 Medium Version manifest: org/w3c/dom/ Implementation-Version 1.0 Medium Version manifest: org/w3c/dom/ls/ Implementation-Version 1.0 Medium Version manifest: org/apache/xerces/impl/Version.class Implementation-Version 2.9.1 Medium Version file version 2.9.1 High Version file name xercesImpl Medium Version manifest: javax/xml/parsers/ Implementation-Version 1.3.04 Medium Version manifest: javax/xml/transform/ Implementation-Version 1.3.04 Medium Version manifest: org/xml/sax/ Implementation-Version 2.0.2 Medium Version manifest: javax/xml/validation/ Implementation-Version 1.3.04 Medium Version manifest: org/apache/xerces/xni/ Implementation-Version 1.2 Medium Version manifest: javax/xml/datatype/ Implementation-Version 1.3.04 Medium
Published Vulnerabilities CVE-2009-2625 (OSSINDEX) suppress
> A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.
>
> -- [redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2625) Unscored:
References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:xerces:xercesImpl:2.9.1:*:*:*:*:*:*:* xml-apis-1.3.04.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xml-apis/xml-apis/1.3.04/90b215f48fe42776c8c7f6e3509ec54e84fd65ef/xml-apis-1.3.04.jarMD5: 9ae9c29e4497fc35a3eade1e6dd0bbebSHA1: 90b215f48fe42776c8c7f6e3509ec54e84fd65efSHA256: d404aa881eb9c5f7a4fb546e84ea11506cd417a72b5972e88eff17f43f9f8a64Referenced In Projects/Scopes:
calcite:sqllineClasspath spark:default spark:compileClasspath spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor manifest: org/apache/xmlcommons/Version Implementation-Vendor Apache Software Foundation Medium Vendor manifest: javax/xml/validation/ Implementation-Vendor Apache Software Foundation Medium Vendor gradle groupid xml-apis Highest Vendor manifest: javax/xml/xpath/ Implementation-Vendor Apache Software Foundation Medium Vendor file name xml-apis High Vendor manifest: javax/xml/parsers/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/xml/sax/ Implementation-Vendor David Megginson Medium Vendor manifest: org/w3c/dom/ Implementation-Vendor World Wide Web Consortium Medium Vendor jar package name xml Low Vendor jar package name apache Highest Vendor manifest: javax/xml/transform/ Implementation-Vendor Apache Software Foundation Medium Vendor manifest: org/w3c/dom/ls/ Implementation-Vendor World Wide Web Consortium Medium Vendor manifest: javax/xml/datatype/ Implementation-Vendor Apache Software Foundation Medium Product manifest: javax/xml/datatype/ Specification-Title JSR 206 Java API for XML Processing 1.3 Medium Product manifest: org/w3c/dom/ls/ Specification-Title Document Object Model (DOM) Level 3 Load and Save Medium Product manifest: org/xml/sax/ Specification-Title Simple API for XML Medium Product manifest: org/w3c/dom/ Specification-Title Document Object Model (DOM) Level 3 Core Medium Product jar package name transform Highest Product jar package name dom Low Product jar package name parsers Highest Product manifest: javax/xml/parsers/ Specification-Title JSR 206, Java API for XML Processing 1.3 Medium Product manifest: org/xml/sax/ Implementation-Title org.xml.sax Medium Product jar package name document Highest Product manifest: org/apache/xmlcommons/Version Implementation-Title org.apache.xmlcommons.Version Medium Product jar package name apache Highest Product jar package name version Highest Product jar package name w3c Highest Product jar package name xml Highest Product manifest: javax/xml/transform/ Implementation-Title javax.xml.transform Medium Product manifest: javax/xml/validation/ Specification-Title JSR 206 Java API for XML Processing 1.3 Medium Product jar package name validation Highest Product manifest: javax/xml/datatype/ Implementation-Title javax.xml.datatype Medium Product jar package name dom Highest Product jar package name ls Highest Product manifest: javax/xml/validation/ Implementation-Title javax.xml.validation Medium Product file name xml-apis High Product jar package name sax Highest Product manifest: javax/xml/xpath/ Specification-Title JSR 206 Java API for XML Processing 1.3 Medium Product jar package name datatype Highest Product manifest: org/w3c/dom/ls/ Implementation-Title org.w3c.dom.ls Medium Product jar package name javax Highest Product manifest: javax/xml/parsers/ Implementation-Title javax.xml.parsers Medium Product gradle artifactid xml-apis Highest Product manifest: org/w3c/dom/ Implementation-Title org.w3c.dom Medium Product manifest: javax/xml/transform/ Specification-Title JSR 206 Java API for XML Processing 1.3 Medium Product manifest: javax/xml/xpath/ Implementation-Title javax.xml.xpath Medium Product jar package name xmlcommons Highest Product jar package name xpath Highest Version manifest: javax/xml/xpath/ Implementation-Version 1.3.04 Medium Version manifest: org/w3c/dom/ Implementation-Version 1.0 Medium Version manifest: org/apache/xmlcommons/Version Implementation-Version 1.3.04 Medium Version file name xml-apis Medium Version gradle version 1.3.04 Highest Version manifest: org/w3c/dom/ls/ Implementation-Version 1.0 Medium Version manifest: javax/xml/parsers/ Implementation-Version 1.3.04 Medium Version manifest: javax/xml/transform/ Implementation-Version 1.3.04 Medium Version manifest: org/xml/sax/ Implementation-Version 2.0.2 Medium Version manifest: javax/xml/validation/ Implementation-Version 1.3.04 Medium Version file version 1.3.04 High Version manifest: javax/xml/datatype/ Implementation-Version 1.3.04 Medium
xml-resolver-1.2.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xml-resolver/xml-resolver/1.2/3d0f97750b3a03e0971831566067754ba4bfd68c/xml-resolver-1.2.jarMD5: 706c533146c1f4ee46b66659ea14583aSHA1: 3d0f97750b3a03e0971831566067754ba4bfd68cSHA256: 47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1Referenced In Projects/Scopes:
babel:fmppClaspath server:fmppClaspath core:fmppClaspath Evidence Type Source Name Value Confidence Vendor gradle groupid xml-resolver Highest Vendor jar package name apache Highest Vendor manifest: org/apache/xml/resolver Implementation-Vendor Apache Software Foundation Medium Vendor jar package name apache Low Vendor file name xml-resolver High Vendor jar package name xml Low Vendor jar package name resolver Low Product jar package name apache Highest Product jar package name xml Highest Product jar package name catalog Highest Product manifest: org/apache/xml/resolver Implementation-Title org.apache.xml.resolver.Catalog Medium Product jar package name resolver Highest Product gradle artifactid xml-resolver Highest Product file name xml-resolver High Product jar package name xml Low Product jar package name resolver Low Version manifest: org/apache/xml/resolver Implementation-Version 1.2 Medium Version file version 1.2 High Version gradle version 1.2 Highest Version file name xml-resolver Medium
xmlenc-0.52.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/xmlenc/xmlenc/0.52/d82554efbe65906d83b3d97bd7509289e9db561a/xmlenc-0.52.jarMD5: c962b6bc3c8de46795b0ed94851fa9c7SHA1: d82554efbe65906d83b3d97bd7509289e9db561aSHA256: 282ae185fc2ff27da7714af9962897c09cfefafb88072219c4a2f9c73616c026Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath spark:default spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name xmlenc Low Vendor jar package name znerd Low Vendor file name xmlenc High Vendor gradle groupid xmlenc Highest Vendor manifest: xmlenc Implementation-Vendor Ernst de Haan Medium Product jar package name xmlenc Low Product jar package name xmlenc Highest Product file name xmlenc High Product manifest: xmlenc Implementation-Title xmlenc Medium Product manifest: xmlenc Specification-Title xmlenc Medium Product gradle artifactid xmlenc Highest Version file version 0.52 High Version file name xmlenc Medium Version gradle version 0.52 Highest Version manifest: xmlenc Implementation-Version 0.52 Medium
xz-1.0.jarFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.tukaani/xz/1.0/ecff5cb8b1189514c9d1d8d68eb77ac372e000c9/xz-1.0.jarMD5: 8c53d7a772f11a88ee95c6ed0c215e49SHA1: ecff5cb8b1189514c9d1d8d68eb77ac372e000c9SHA256: 7eafdc8880da10286c2398fa42e3bf68c3e845c35ae7a6ae67f5cc1fa16c7405Referenced In Projects/Scopes:
piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath pig:runtimeClasspath spark:default spark:compileClasspath piglet:default pig:default spark:runtimeClasspath pig:compileClasspath Evidence Type Source Name Value Confidence Vendor jar package name xz Low Vendor Manifest implementation-url http://tukaani.org/xz/java.html Low Vendor file name xz High Vendor jar package name tukaani Low Vendor gradle groupid org.tukaani Highest Product Manifest Implementation-Title XZ data compression High Product jar package name xz Low Product Manifest implementation-url http://tukaani.org/xz/java.html Low Product file name xz High Product jar package name xz Highest Product gradle artifactid xz Highest Product jar package name tukaani Highest Version file version 1.0 High Version Manifest Implementation-Version 1.0 High
zookeeper-3.4.6.jarLicense:
http://www.apache.org/licenses/LICENSE-2.0.txt File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.6/1b2502e29da1ebaade2357cd1de35a855fa3755/zookeeper-3.4.6.jar
MD5: 7d01d317c717268725896cfb81b18152
SHA1: 01b2502e29da1ebaade2357cd1de35a855fa3755
SHA256: 8a375a1ef98cbc0e1f6e9dfd0d96d914b74d37ad00b4bf81beb77fa8f34d33ae
Referenced In Projects/Scopes: piglet:compileClasspath piglet:runtimeClasspath calcite:sqllineClasspath spark:default spark:compileClasspath piglet:default spark:runtimeClasspath Evidence Type Source Name Value Confidence Vendor jar package name zookeeper Highest Vendor file name zookeeper High Vendor Manifest built-at 02/23/2014 17:18 GMT Low Vendor Manifest bundle-docurl http://hadoop.apache.org/zookeeper Low Vendor jar package name apache Highest Vendor Manifest built-on fpj-Virtual-Machine Low Vendor jar package name zookeeper Low Vendor gradle groupid org.apache.zookeeper Highest Vendor Manifest bundle-symbolicname org.apache.hadoop.zookeeper Medium Vendor Manifest Implementation-Vendor The Apache Software Foundation High Vendor jar package name apache Low Product jar package name zookeeper Highest Product file name zookeeper High Product Manifest built-at 02/23/2014 17:18 GMT Low Product Manifest bundle-docurl http://hadoop.apache.org/zookeeper Low Product jar package name apache Highest Product Manifest built-on fpj-Virtual-Machine Low Product jar package name zookeeper Low Product Manifest bundle-symbolicname org.apache.hadoop.zookeeper Medium Product Manifest Bundle-Name ZooKeeper Bundle Medium Product Manifest Implementation-Title org.apache.zookeeper High Product gradle artifactid zookeeper Highest Version jar package name zookeeper Highest Version jar package name apache Highest Version Manifest Bundle-Version 3.4.6 High Version file name zookeeper Medium Version gradle version 3.4.6 Highest Version file version 3.4.6 High Version Manifest Implementation-Version 3.4.6-1569965 High
Published Vulnerabilities CVE-2016-5017 suppress
Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSSv2:
Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3:
Base Score: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2017-5637 suppress
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later. CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-306 Missing Authentication for Critical Function
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References:
Vulnerable Software & Versions: (show all )
CVE-2018-8012 suppress
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. CWE-862 Missing Authorization
CVSSv2:
Base Score: MEDIUM (5.0) Vector: /AV:N/AC:L/Au:N/C:N/I:P/A:N CVSSv3:
Base Score: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2019-0201 suppress
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users. CWE-862 Missing Authorization
CVSSv2:
Base Score: MEDIUM (4.3) Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N References:
Vulnerable Software & Versions: (show all )
CVE-2021-21409 (OSSINDEX) suppress
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. CVSSv3:
Base Score: MEDIUM (5.9) Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References:
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a:org.apache.zookeeper:zookeeper:3.4.6:*:*:*:*:*:*:* zstd-jni-1.3.7-1.jarDescription:
JNI bindings for Zstd native library that provides fast and high compression lossless algorithm for Java and all JVM languages. License:
https://opensource.org/licenses/BSD-2-Clause;description=BSD 2-Clause License File Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.luben/zstd-jni/1.3.7-1/7100c646bbb0acad54b7add33dab25ff4b3ba4df/zstd-jni-1.3.7-1.jar
MD5: c2a66122380a2a33df7f0ce09f593e71
SHA1: 7100c646bbb0acad54b7add33dab25ff4b3ba4df
SHA256: ebefe5b8698a57c55c64a297eaf8ba931c2cbc7df5b72de38ac1d034372b46e6
Referenced In Projects/Scopes: kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor gradle groupid com.github.luben Highest Vendor jar package name github Highest Vendor jar package name luben Highest Vendor Manifest Implementation-Vendor-Id com.github.luben Medium Vendor jar package name zstd Low Vendor jar package name luben Low Vendor file name zstd-jni High Vendor Manifest automatic-module-name com.github.luben.zstd_jni Medium Vendor jar package name github Low Vendor Manifest Implementation-Vendor com.github.luben High Vendor Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Vendor Manifest specification-vendor com.github.luben Low Vendor jar package name zstd Highest Vendor Manifest bundle-symbolicname com.github.luben.zstd-jni Medium Product jar package name github Highest Product jar package name luben Highest Product Manifest Bundle-Name zstd-jni Medium Product jar package name zstd Low Product jar package name luben Low Product file name zstd-jni High Product Manifest automatic-module-name com.github.luben.zstd_jni Medium Product gradle artifactid zstd-jni Highest Product Manifest specification-title zstd-jni Medium Product Manifest require-capability osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" Low Product jar package name zstd Highest Product Manifest Implementation-Title zstd-jni High Product Manifest bundle-symbolicname com.github.luben.zstd-jni Medium Version Manifest Implementation-Version 1.3.7-1 High Version file version 1.3.7.1 High
zstd-jni-1.3.7-1.jar: libzstd-jni.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.luben/zstd-jni/1.3.7-1/7100c646bbb0acad54b7add33dab25ff4b3ba4df/zstd-jni-1.3.7-1.jar/win/x86/libzstd-jni.dllMD5: d4bf33e77bec84596b9e989afa001ca1SHA1: 9beb0abf102c3ad980036dd53b9ca227428529fcSHA256: 5defdabbc0eea3dc5348d990d56013b9a9373d574b1efb61846a76e53fe9516aReferenced In Projects/Scopes:
kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor file name libzstd-jni High Product file name libzstd-jni High
zstd-jni-1.3.7-1.jar: libzstd-jni.dllFile Path: /home/stamatis/.gradle/caches/modules-2/files-2.1/com.github.luben/zstd-jni/1.3.7-1/7100c646bbb0acad54b7add33dab25ff4b3ba4df/zstd-jni-1.3.7-1.jar/win/amd64/libzstd-jni.dllMD5: cfd651a15ef29acf0e11dfcd41efb6e7SHA1: 3bc54bff4dff5e1c48e367f9e3ec6c39c80fc188SHA256: 3bebcf324ee53dca1ce2bacc46924aba46196d323da79f246d92ad9f5a81b63bReferenced In Projects/Scopes:
kafka:runtimeClasspath calcite:sqllineClasspath kafka:compileClasspath kafka:default Evidence Type Source Name Value Confidence Vendor file name libzstd-jni High Product file name libzstd-jni High